I discovered last night that my ancient CPU doesn't have hardware acceleration support for encryption, and this makes writing to encrypted datasets terribly slow.
Reading from an external drive and writing to the NAS
with encryption? 30-45 MB/sec.
Reading from an external drive and writing to the NAS
without encryption? 145-175 MB/sec.
Forget that! I just wiped everything to forego the encryption, and I started over. Previously I was looking at at least a couple of
days to migrate everything into the NAS. On top of that, 3 of the 4 CPU cores were pegged at 100% to do the encryption in software, the temperature was hitting 70C, and the old fans were humming their hardest to keep up. I guess I deserve this for using 12-year-old hardware.
After the wipe, I restarted my media files transfers just before going to bed, which previously projected over a day to complete… and it finished before I woke up.
I'm not terribly worried about keeping all my NAS data encrypted at rest, but my default M.O. is to
encrypt all the things all the time. If we have a break-in, it's pretty unlikely that a thief would go for
this over just about anything else expensive-looking in my house.
ZFS defines "datasets" in a pool kind of like partitions in a disk, and you can define totally different settings (encryption, compression, deduplication, quotas, checksums, ACLs, etc) on each dataset or you can have some settings inherit from a parent dataset. It makes carving things up like this pretty flexible. So, now I'm thinking about segmenting my data differently. The big media files for Jellyfin? Definitely no encryption. Personal working documents (source code, Adobe projects, Minecraft backups, etc)? Probably no encryption. Private family documents, financial docs, and other keys? Absolutely getting encrypted.
Do the Synologys you guys have perform hardware-accelerated encryption on your data? I would imagine any CPU made in the last few years — even the cheap ones in these appliances — probably has the `aes` flag present. Would you take a look to confirm? `grep aes /proc/cpuinfo` should do it.