some ZFS questions

Scott Bennett bennett at sdf.org
Tue Aug 26 07:39:12 UTC 2014 

CyberLeo Kitsana <cyberleo at cyberleo.net> wrote:
> On 08/24/2014 05:27 AM, Scott Bennett wrote:
> > kpneal at pobox.com wrote:
> >> What's the harm in encrypting all the data?
> > 
> > High CPU overhead for both reading and writing is the main downside.
>
> AES-NI is fully supported for recent Intel CPUs, and can achieve some
> pretty impressive throughputs.
>
     I'm sure it's nice to have that kind of hardware.  I'm stuck with
a Q6600 for now.  There is also a box collecting dust at the moment that
has a QX9770 overclocked to 3.8 GHz, but I don't dare plug it in without
a heavy-duty surge protector at minimum and preferably also an adequately
large UPS.  Neither chip has AES-NI support.
> >>
> >> In fact, encrypting all data is more secure. If you only encrypt the data
> > 
> > Sure, but why do it if the data don't need to be secret?
>
> Because it takes 6-8 hours to erase a 3TB hard disk; and, if the disk
> fails, you can't always erase it before sending it back for RMA replacement.

     You must have missed some of the thread to date.  The encrypted data,
as you point out, do not need to be wiped from a dead drive.  However, the
unencrypted data also do not need to be wiped from a dead drive because I
really don't give a dam about someone recovering them.
>
> One of the things with which I've been experimenting lately is standing
> encryption on my data storage pools. The intent here is not to protect
> the data against an attacker; rather, to ease maintenance burden.
> However, the details I have gathered are useful nevertheless.
>
> I'm currently running a 30TB? 10-disk zpool on a machine with a Haswell
> CPU and, with AES-NI, the encryption operation is faster than the
> throughput of all disks combined; there is no perceptible performance
> impact. When a disk failed recently, it was so much easier to simply
> destroy the key material rather than having to worry about somehow
> securely erasing a device that was not always responsive before shipping
> it back for replacement.
>
> I have a lot of failed hard drives.

     I sympathize.  Out of seven new Seagate drives received last year,
two were unusable out of the box, and two others failed at around one year
since purchased.  The two that were DOA were 3 TB.  The other two were
both 2 TB drives.  The three survivors are two 2 TB drives and a 1 TB drive
and *appear*, so far, to be working fine.  There was also a nearly three-
year-old, 500 GB Seagate that failed this year.  So that comes to five out
of eight Seagates died this year.  There was also a 60 GB Hitachi drive
that failed last year at the age of nearly nine years.
>
> ?Okay, only about 20TB after rounding errors, redundancy, and spare
> capacity; but 30TB 'raw'.
>


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the freebsd-questions mailing list