some ZFS questions

[CyberLeo Kitsana]

On 08/24/2014 05:27 AM, Scott Bennett wrote:
> kpneal at pobox.com wrote:
>> What's the harm in encrypting all the data?
> 
> High CPU overhead for both reading and writing is the main downside.

AES-NI is fully supported for recent Intel CPUs, and can achieve some
pretty impressive throughputs.

>>
>> In fact, encrypting all data is more secure. If you only encrypt the data
> 
> Sure, but why do it if the data don't need to be secret?

Because it takes 6-8 hours to erase a 3TB hard disk; and, if the disk
fails, you can't always erase it before sending it back for RMA replacement.

One of the things with which I've been experimenting lately is standing
encryption on my data storage pools. The intent here is not to protect
the data against an attacker; rather, to ease maintenance burden.
However, the details I have gathered are useful nevertheless.

I'm currently running a 30TB† 10-disk zpool on a machine with a Haswell
CPU and, with AES-NI, the encryption operation is faster than the
throughput of all disks combined; there is no perceptible performance
impact. When a disk failed recently, it was so much easier to simply
destroy the key material rather than having to worry about somehow
securely erasing a device that was not always responsive before shipping
it back for replacement.

I have a lot of failed hard drives.

†Okay, only about 20TB after rounding errors, redundancy, and spare
capacity; but 30TB 'raw'.

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>

Furry Peace! - http://www.fur.com/peace/