On 2016-01-18T09:05:58, Adam Kupczyk <akupczyk@xxxxxxxxxxxx> wrote:
Hi Adam,
> Plugging this into calculations I was using previously, gives us:
> 1) Dmcrypt:
> 1*0.36+2.5*0.64*3 = 5.16 bytes of crypto operations per byte of io data.
> 2) potential inside OSD encryption
> 1*0.36+1*0.64 = 1 byte of crypto operations per byte of io data.
>
> This further deepens my concern that crypto transformations may be
> limit for performance.
I see your concern, but my primary concern is not about performance,
rather security.
By not encrypting the entire OSD device, one becomes susceptible to
metadata analysis (on the file store), data exposure, etc. (Plus,
obviously, that the system devices need to be encrypted to avoid data
leaks via logs, swap, coredumps etc.)
It doesn't help my use case that your implementation is theoretically
faster if it doesn't fit the threat scenario.
I'd obviously be delighted to see this all sped up (and consume less
power), but as long as the system is fast enough to encrypt at
near-device speeds, this seems preferable.
I'm not opposed to your implementation - I just couldn't sell it to my
customers for data-at-rest encryption.
Regards,
Lars
--
Architect Storage/HA
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wilde
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
