View Single Post
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2022-08-21, 13:47

I discovered last night that my ancient CPU doesn't have hardware acceleration support for encryption, and this makes writing to encrypted datasets terribly slow.

Reading from an external drive and writing to the NAS with encryption? 30-45 MB/sec.
Reading from an external drive and writing to the NAS without encryption? 145-175 MB/sec.



Forget that! I just wiped everything to forego the encryption, and I started over. Previously I was looking at at least a couple of days to migrate everything into the NAS. On top of that, 3 of the 4 CPU cores were pegged at 100% to do the encryption in software, the temperature was hitting 70C, and the old fans were humming their hardest to keep up. I guess I deserve this for using 12-year-old hardware. After the wipe, I restarted my media files transfers just before going to bed, which previously projected over a day to complete… and it finished before I woke up.

I'm not terribly worried about keeping all my NAS data encrypted at rest, but my default M.O. is to encrypt all the things all the time. If we have a break-in, it's pretty unlikely that a thief would go for this over just about anything else expensive-looking in my house. ZFS defines "datasets" in a pool kind of like partitions in a disk, and you can define totally different settings (encryption, compression, deduplication, quotas, checksums, ACLs, etc) on each dataset or you can have some settings inherit from a parent dataset. It makes carving things up like this pretty flexible. So, now I'm thinking about segmenting my data differently. The big media files for Jellyfin? Definitely no encryption. Personal working documents (source code, Adobe projects, Minecraft backups, etc)? Probably no encryption. Private family documents, financial docs, and other keys? Absolutely getting encrypted.

Do the Synologys you guys have perform hardware-accelerated encryption on your data? I would imagine any CPU made in the last few years — even the cheap ones in these appliances — probably has the `aes` flag present. Would you take a look to confirm? `grep aes /proc/cpuinfo` should do it.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote