Sign in with
Sign up | Sign in

Conclusion

Is Data Encryption Worth Destroying Your NAS' Performance?
By

The NAS servers used in this test are all designed for commercial or semi-professional environments, which to some extent is reflected in their lofty prices. The Thecus N4200 is about $670, while the Synology DS1010+ and Qnap TS-459 Pro cost a bit more.

That's quite a hefty sum to pay for a diskless enclosure that you still need to populate with storage. In many cases, that raises expectations, and you naturally assume data stored on the NAS server really is safe. Similarly, you also expect that, even if a hard drive in the server's array fails, you'll still be able to rebuild the configuration and keep that data available. All three NAS servers offer a variety of RAID modes and backup capabilities that really can prevent data loss when they're applied sensibly.

Data Loss Due To Theft

Data can, however, be lost in ways other than a drive dying. How about if a disk from a RAID 1 array gets stolen? What about the entire NAS unit (these things aren't exactly heavy)? That's not a far-fetched scenario, especially if your networked storage is installed in a high-traffic environment like a retail store or doctor’s office. It's nice that all of the NAS servers in this test can be chained down using a Kensington lock. But lightweight physical security might not be much of a challenge to a prepared thief.

Thecus and Qnap also equip their products (the N4200 and TS-459 Pro) with lockable drive trays. This means that even the bravest jerk with a well-placed screwdriver should be unable to get away with a hard drive without damaging its housing. Conversely, the hard drives in Synology's DS1010+ could even be stolen on the fly, though, since it does not have any lockable drive bays.

Encryption Protects Against Prying Eyes…

If you're going to the trouble of protected the NAS device and hard drives from physical theft, the surest way of safeguarding the data from unscrupulous eyes is to encrypt disk contents. The manufacturers make use of a tool that has been known by all die-hard Linux users for years, meaning that it is already quite common out there, and has seen a lot of use in practice. Thecus and Qnap apply their encryption to the entire partition, while Synology allows its users to encrypt only specific folders.

…At the Cost of Performance

Performance-wise, the tested products are not that different. A lack of encryption acceleration means that enabling the feature absolutely destroys performance on all three units.

The default data transfer rates of the three candidates are on a similar level in many benchmarks, although the Thecus N4200 shows slightly better results than the competition. Nevertheless, it must be said that the encryption performance leaves a lot of room for improvement. The implementation of a dedicated hardware cryptography unit would affect the data transfer rates very positively. Intel’s dual-core Atom D510 offers modest performance in everyday use, but for this type of encryption task, it is simply underwhelming, in turn affecting the data transfer rates. Maybe AES-NI has value in the embedded market; hopefully Intel has something planned there.

Use and Flexibility

When it comes to using encryption, Thecus employs the most complex implementation. In order to unlock an encrypted partition, the N4200 requires an external drive to be connected, which is then removed during operation and stored in a safe place.

Qnap’s approach to handling the encrypted partitions is also solid, and there is no reason to complain. Synology offers the most flexible single-folder encryption solution. While encryption has to be configured in advance on the NAS servers from Thecus and Qnap (which then becomes a permanent change to the partition), the encrypted database on Synology's DS1010+ can grow or shrink dynamically. The advantage here is that the most sensitive folders can be selectively encrypted without much effort, while other shared files or folders remain unaffected by the performance impact caused by the encryption. Also, existing files or folders can be encrypted at a later time, and not just when they're created.

If you are concerned about security, there is one thing that you absolutely should not do with these three NAS devices, and that is to store the password string required to decrypt the partitions or files on the NAS itself. Security always comes at the cost of some effort, but you should absolutely choose to manually enter the password to gain access to the encrypted partition or file after rebooting the NAS. That shouldn't happen very often anyway.

Display all 26 comments.
This thread is closed for comments
  • 0 Hide
    und3rsc0re , May 18, 2011 4:46 AM
    You guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.
  • 1 Hide
    compton , May 18, 2011 4:48 AM
    What about a Core i5 or better based server? You could turn an i5 with aes-ni into a cheap server for the same price as these diskless enclosures. Couldn't it be turned into a Linux based NAS with hardware encryption? I'm not hip to all of the issues, but that was my first thought.
  • 5 Hide
    rhangman , May 18, 2011 6:30 AM
    What about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.

    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
  • 0 Hide
    Anonymous , May 18, 2011 7:51 AM
    maybe you could test the other nas´too

    http://www.tomshardware.com/charts/multi-bay-nas-charts-2011/benchmarks,121.html
    already has a performance overview so just add encryption test
  • 2 Hide
    huron , May 18, 2011 3:33 PM
    I like what you guys are doing here at Toms...very interesting article. Any chance you guys can get your hands on a better processor to see what the results would be - I know how resource heavy encryption/decryption can be, and worry these don't really have enough horsepower to handle the job well.

    Continue this as a series with better CPUs?
  • 0 Hide
    bwcbwc , May 18, 2011 4:02 PM
    The implication for all of these devices is that the data is encrypted/decrypted within the device, which in turn means that the data is transmitted over the network in unencrypted form.

    The risk of a packet sniffer on the LAN seems a lot higher than someone walking out the door with your NAS array (or a piece of it), so I think you need to weigh your priorities when you choose this type of solution. If you are ready to address the physical security of data on a network attached drive, you should already have taken steps to ensure the security of the data during transmission.
  • -1 Hide
    freggo , May 18, 2011 4:06 PM
    What if one where to use TrueCrypt partitions on these servers instead ?
    I tested it extensively first and use it now for 2 years on my regular drives, hardly a 'noticable' performance hit compared to the unencrypted drives in the PC and 'zero' errors or problems so far.

  • -1 Hide
    Prey , May 18, 2011 4:33 PM
    In a commercial environment, especially medical, hell yes! Go to the HITECH Act and see the breach list over 500 due to unencrypted files that are stolen or lost.

    It shouldn't be a performance issue, but more a, is it worth the risk issue.
  • 0 Hide
    Niva , May 18, 2011 6:20 PM
    Definitely a good article, I'd been thinking about buying the Thecus. Tests with TrueCrypt would be appreciated since that's my tool of choice.
  • 1 Hide
    tacoslave , May 18, 2011 10:34 PM
    was i the only one thinking of sony?
  • 0 Hide
    dangolo , May 18, 2011 11:21 PM
    Bought the Thecus N4200 last year to compliment my system drive, a truecrypted C300 SSD. Windows 7 iSCSI interface makes it cake to use, and I admit, I LOVE this combo. Encryption "slowness" is not noticeable except in the most hurried of situations.
    I have no enemies, but the value of knowing my data is private as often as possible, is a battle worth fighting.
    BTW, the Thecus has a built in battery backup power supply, an eSata, and 2x10Gb ports. Very pricey, but worth it to me, thanks TH, brilliant concept and review =D
  • 1 Hide
    palladin9479 , May 19, 2011 12:58 AM
    rhangmanWhat about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.http://www.via.com.tw/en/initiativ [...] rdware.jsp


    Any Via based solution would stomp the Atom into the ground when it comes to encrypted data. Heck you can throw together your own NAS with all the options you could possible want by building your own Mini-ITX server.

    Anyhow Toms has demonstrated in the past that its writers / editors are journalists before their technicians. They go for the shock story rather then get technical and actually test things like a Via platform. Having done my own test with openssl, going from -engine dynamic to -engine padlock yielding over 1000% increase (yes more then 10x) in performance. I'm capable of reading / writing to an encrypted disk at full speed without the CPU taking a hit. For those of you who want to use SSD's Via is the ~only~ option as any other CPU would drag when trying to do the encryption at that speed.
  • 1 Hide
    palladin9479 , May 19, 2011 1:34 AM
    After looking back over the article I noticed the prices on these items. Guys these things are rip offs. For the same amount you can build your own Via based Mini-ITX server and run whatever features you want on it.

    Via Nano L2200 1.6Ghz (or the newer dual core ones)
    1~2GB of DDR2 RAM (4 if you want to be adventurous)
    JetWay motherboard, or the Via reference one (I prefer Jetway)
    80GB SATA HDD (for OS)

    Then purchase a MediaSonic four bay eSATA / USB 3.0 external raid enclosure. Connect the enclosure to your server using eSATA and share out whatever drive setup you want. The bonus is you can do RAID-5 and the enclosure has its own circuitry to do the XOR calculations, thus relieving your CPU from having to do this. Use Linux as your OS, or MS SBS with DiskCryptor (Truecrypt refuse's to support Via CPU's, DiskCryptor is a fork from the original TrueCrypt and supports all current HW encryptors). Now you get whatever you want out of this package, use it just for network resource sharing like printers and file shares. If you want you can add OpenVPN style support, OpenSSL now supports the padlock encryption engine and you can specify that inside the OpenVPN configuration. You can add your own DNS server, web server or whatever project you can dream up.

    NAS devices like those above are for home "professionals" who don't know how to manage their own server, basically the iApple drones.
  • 0 Hide
    house70 , May 19, 2011 10:40 AM
    Nobody's asking you to buy one. People that can build their own NAS are NOT interested in this article, hence it was not for them. There are a lot of PC users not familiar with the requirements of building a NAS, especially running Linux. Do not look down on people that do not have the same knowledge about servers as you; they might have a LOT of knowledge about other things that you are clueless. Yo' mama didn't teach you that?
    Also, your point makes no sense: if for the same amount of money you can build your own, then you are not saving a dime by doing so.
    Finally, if you have built one, why don't you publish your own benchmarks, to put some weight behind your statements? Although, seeing how biased you are, I would not necessarily believe the numbers you put out. You have just shot your credibility in the foot (or rather, in the face) with your comment.
  • 1 Hide
    palladin9479 , May 20, 2011 1:56 AM
    A "NAS" is just a mini-itx system running a customized linux OS with a managed web front end. You are limited by the "features" the HW manufacturer provided. Build your own (Linux or Windows Server) and not only do you get the exact same thing, but you can then add features or expand it in any way you desire.

    I point at encryption as a prime example. These NAS's are all using under powered Atom CPU's and therefor can not handle disk encryption at full speed. If you had built your own then it would of had padlock support and would be able to handle full speed disk encryption.

    Quote:
    There are a lot of PC users not familiar with the requirements of building a NAS, especially running Linux.


    This makes no sense. The one's who would be spending $600+ for a "NAS" are either professional IT guys and thus would be capable of running their own system, or are iLife heads who think its "cool" to have something like this. These are not some $200 USD grandmother devices, nor are they set-top devices like a WDTV Live, their full up servers hosting an exported file system. Who in the world would be buying these that wouldn't be better served on their own? A power user would be better off building their own feature rich device, especially when it comes to backups and security. A home user wouldn't be using this and would instead use a large USB drive. An enterprise user would be laughing at all of you and using their own solution.
  • 0 Hide
    x3style , May 20, 2011 11:31 AM
    und3rsc0reYou guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.

    A little more in-depth knowledge about encryption would let you know that encrypting uses CPU power hence why accelerating the storage trough-put would change nothing in the processing bottleneck.
    Your car doesn't get more HP by putting bigger tires, for that you need some engine tweaking.
  • 0 Hide
    Anonymous , May 21, 2011 10:07 AM
    I use DNLA to stream media to my Samsung tv. What if I was to use a NAS with encryption. Would that work?.
  • 0 Hide
    Anonymous , May 22, 2011 7:31 PM
    I think it will resolve itself by a market -- this "NAS" are just overpriced, otherwise it's normal low-end solution for lazy user. I am also quit lazy, but after one experience with Buffalo Terastation I prefer to use MediaSonic enclosure connected to my server, similarly as other user adviced...
    When it will be 800$ including 4x 3TB HDDs, than it will make a bit sense. Now it's a normal rip-off, which is actually quit normal and respected business nowadays.
    If you look on a typical supemarket shelves, you can easy see that most products are even not intended to be usefull not for consumer but just designed to make a money for seller. Normally cinsumer doesn't like to buy this goods and that is why there exist multi-billion dollar marketing industry, to make you buy different "brand" trash...
    In IT you can at least test yourself...
    So just decide yourself, not trust ads at all and make some research before buying -- and you will be reasonably safe to get what you need, not what is marketed...
  • 0 Hide
    palladin9479 , May 23, 2011 3:58 AM
    Quote:
    I think it will resolve itself by a market -- this "NAS" are just overpriced, otherwise it's normal low-end solution for lazy user. I am also quit lazy, but after one experience with Buffalo Terastation I prefer to use MediaSonic enclosure connected to my server, similarly as other user adviced...
    When it will be 800$ including 4x 3TB HDDs, than it will make a bit sense. Now it's a normal rip-off, which is actually quit normal and respected business nowadays.
    If you look on a typical supemarket shelves, you can easy see that most products are even not intended to be usefull not for consumer but just designed to make a money for seller. Normally cinsumer doesn't like to buy this goods and that is why there exist multi-billion dollar marketing industry, to make you buy different "brand" trash...
    In IT you can at least test yourself...
    So just decide yourself, not trust ads at all and make some research before buying -- and you will be reasonably safe to get what you need, not what is marketed...



    Well if they could offer the NAS solution at $200~$250 without drives then that would be acceptable I think. You can get a home SOHO router device that supports USB "file share" for under $100 USD, and honestly this is ~all~ you need for a NAS device. Take the system board, remove the wireless components / routing interfaces, put in a SATA system with an eSATA / USB connector and 2~4 bays for drives. That would be marketable and be within the range of the average home user that doesn't have time / ability to manage their own server. This $600+ cost of drives for what is a non-managed file server ... its just too much for the SOHO world.
  • 0 Hide
    g00ey , May 23, 2011 11:14 AM
    But what if you use a proper quad-core computer with lots of RAM as a NAS running Solaris/OpenIndiana? Then the encryption shouldn't be much of a performance issue.
Display more comments