Sign in with
Sign up | Sign in

Is Data Encryption Worth Destroying Your NAS' Performance?

Is Data Encryption Worth Destroying Your NAS' Performance?
By

Three vendors of network-attached storage, Qnap, Synology, and Thecus, sent over Intel Atom-based NAS servers to test the effects of protecting your data via encryption. But performance and configuration options are not identical, as our testing shows.

Once you start getting into higher-end networked storage devices for SMBs, you often see value-added features like the ability to encrypt stored data to improve security. There are different ways to achieve this, which depend on the vendor. Some employ encryption at the partition level, while others encrypt at the file level.

Since these features generate a lot of interest from professional users concerned about protecting sensitive information, we decided to take a closer look at the encryption capabilities of several NAS devices: the TS-459 Pro by Qnap, Synology’s DS1010+ Synology, and Thecus' N4200.

Acceleration Through a Dedicated Cryptography Unit?

The NAS devices in this roundup all use the symmetric-key encryption AES (Advanced Encryption Standard) with a key length of 256 bits. The encryption standard is generally considered very safe and is used industry-wide, as well as by authorities in various fields (it is approved by the U.S. government for encrypting documents, for example). It is not uncommon for USB flash drives or hard drives to employ AES, and because of the high computational cost of data encryption, these often come with dedicated encryption/decryption processors, greatly accelerating the cryptography process.

Intel’s addition AES-NI to its 32 nm Clarkdale-based Core i5 desktop CPUs, six-core Gulftown processors, and second-gen Core i5 and Core i7 chips impressively demonstrates how much dedicated acceleration hardware can increase the speed of the encryption/decryption process. More information about this can be found in the article AES-NI Performance Analyzed; Limited To 32 nm Core i5 CPUs.

Inevitable Performance Degradation Through Intel’s Atom?

Unfortunately, none of the tested devices from Synology, Thecus, or Qnap have a dedicated hardware cryptography unit for encrypting/decrypting data, revealing a huge potential drawback of data encryption directly on the network storage device. As a result, if you actually plan to use encryption, that functionality must be handled by the NAS device's host processor. In all three of our test cases, that's a meager Intel Atom D510, which of course lacks the AES-NI support that'd be needed to accelerate encryption in hardware.

The dual-core Atom processor is also tasked with handling XOR operations for the NAS devices’ RAID arrays. It is partly responsible for the data transfer rates of 100 MB/s and more (in gigabit Ethernet networks). Its network performance suffers once you apply the additional demands of compute-intensive cryptographic calculations, though. Just how much network performance do you lose when you trade throughput for security? Let's find out!

Ask a Category Expert

Create a new thread in the Reviews comments forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 26 comments.
This thread is closed for comments
  • 0 Hide
    und3rsc0re , May 18, 2011 4:46 AM
    You guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.
  • 1 Hide
    compton , May 18, 2011 4:48 AM
    What about a Core i5 or better based server? You could turn an i5 with aes-ni into a cheap server for the same price as these diskless enclosures. Couldn't it be turned into a Linux based NAS with hardware encryption? I'm not hip to all of the issues, but that was my first thought.
  • 5 Hide
    rhangman , May 18, 2011 6:30 AM
    What about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.

    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
  • 0 Hide
    Anonymous , May 18, 2011 7:51 AM
    maybe you could test the other nas´too

    http://www.tomshardware.com/charts/multi-bay-nas-charts-2011/benchmarks,121.html
    already has a performance overview so just add encryption test
  • 2 Hide
    huron , May 18, 2011 3:33 PM
    I like what you guys are doing here at Toms...very interesting article. Any chance you guys can get your hands on a better processor to see what the results would be - I know how resource heavy encryption/decryption can be, and worry these don't really have enough horsepower to handle the job well.

    Continue this as a series with better CPUs?
  • 0 Hide
    bwcbwc , May 18, 2011 4:02 PM
    The implication for all of these devices is that the data is encrypted/decrypted within the device, which in turn means that the data is transmitted over the network in unencrypted form.

    The risk of a packet sniffer on the LAN seems a lot higher than someone walking out the door with your NAS array (or a piece of it), so I think you need to weigh your priorities when you choose this type of solution. If you are ready to address the physical security of data on a network attached drive, you should already have taken steps to ensure the security of the data during transmission.
  • -1 Hide
    freggo , May 18, 2011 4:06 PM
    What if one where to use TrueCrypt partitions on these servers instead ?
    I tested it extensively first and use it now for 2 years on my regular drives, hardly a 'noticable' performance hit compared to the unencrypted drives in the PC and 'zero' errors or problems so far.

  • -1 Hide
    Prey , May 18, 2011 4:33 PM
    In a commercial environment, especially medical, hell yes! Go to the HITECH Act and see the breach list over 500 due to unencrypted files that are stolen or lost.

    It shouldn't be a performance issue, but more a, is it worth the risk issue.
  • 0 Hide
    Niva , May 18, 2011 6:20 PM
    Definitely a good article, I'd been thinking about buying the Thecus. Tests with TrueCrypt would be appreciated since that's my tool of choice.
  • 1 Hide
    tacoslave , May 18, 2011 10:34 PM
    was i the only one thinking of sony?
  • 0 Hide
    dangolo , May 18, 2011 11:21 PM
    Bought the Thecus N4200 last year to compliment my system drive, a truecrypted C300 SSD. Windows 7 iSCSI interface makes it cake to use, and I admit, I LOVE this combo. Encryption "slowness" is not noticeable except in the most hurried of situations.
    I have no enemies, but the value of knowing my data is private as often as possible, is a battle worth fighting.
    BTW, the Thecus has a built in battery backup power supply, an eSata, and 2x10Gb ports. Very pricey, but worth it to me, thanks TH, brilliant concept and review =D
  • 1 Hide
    palladin9479 , May 19, 2011 12:58 AM
    rhangmanWhat about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.http://www.via.com.tw/en/initiativ [...] rdware.jsp


    Any Via based solution would stomp the Atom into the ground when it comes to encrypted data. Heck you can throw together your own NAS with all the options you could possible want by building your own Mini-ITX server.

    Anyhow Toms has demonstrated in the past that its writers / editors are journalists before their technicians. They go for the shock story rather then get technical and actually test things like a Via platform. Having done my own test with openssl, going from -engine dynamic to -engine padlock yielding over 1000% increase (yes more then 10x) in performance. I'm capable of reading / writing to an encrypted disk at full speed without the CPU taking a hit. For those of you who want to use SSD's Via is the ~only~ option as any other CPU would drag when trying to do the encryption at that speed.
  • 1 Hide
    palladin9479 , May 19, 2011 1:34 AM
    After looking back over the article I noticed the prices on these items. Guys these things are rip offs. For the same amount you can build your own Via based Mini-ITX server and run whatever features you want on it.

    Via Nano L2200 1.6Ghz (or the newer dual core ones)
    1~2GB of DDR2 RAM (4 if you want to be adventurous)
    JetWay motherboard, or the Via reference one (I prefer Jetway)
    80GB SATA HDD (for OS)

    Then purchase a MediaSonic four bay eSATA / USB 3.0 external raid enclosure. Connect the enclosure to your server using eSATA and share out whatever drive setup you want. The bonus is you can do RAID-5 and the enclosure has its own circuitry to do the XOR calculations, thus relieving your CPU from having to do this. Use Linux as your OS, or MS SBS with DiskCryptor (Truecrypt refuse's to support Via CPU's, DiskCryptor is a fork from the original TrueCrypt and supports all current HW encryptors). Now you get whatever you want out of this package, use it just for network resource sharing like printers and file shares. If you want you can add OpenVPN style support, OpenSSL now supports the padlock encryption engine and you can specify that inside the OpenVPN configuration. You can add your own DNS server, web server or whatever project you can dream up.

    NAS devices like those above are for home "professionals" who don't know how to manage their own server, basically the iApple drones.
  • 0 Hide
    house70 , May 19, 2011 10:40 AM
    Nobody's asking you to buy one. People that can build their own NAS are NOT interested in this article, hence it was not for them. There are a lot of PC users not familiar with the requirements of building a NAS, especially running Linux. Do not look down on people that do not have the same knowledge about servers as you; they might have a LOT of knowledge about other things that you are clueless. Yo' mama didn't teach you that?
    Also, your point makes no sense: if for the same amount of money you can build your own, then you are not saving a dime by doing so.
    Finally, if you have built one, why don't you publish your own benchmarks, to put some weight behind your statements? Although, seeing how biased you are, I would not necessarily believe the numbers you put out. You have just shot your credibility in the foot (or rather, in the face) with your comment.
  • 1 Hide
    palladin9479 , May 20, 2011 1:56 AM
    A "NAS" is just a mini-itx system running a customized linux OS with a managed web front end. You are limited by the "features" the HW manufacturer provided. Build your own (Linux or Windows Server) and not only do you get the exact same thing, but you can then add features or expand it in any way you desire.

    I point at encryption as a prime example. These NAS's are all using under powered Atom CPU's and therefor can not handle disk encryption at full speed. If you had built your own then it would of had padlock support and would be able to handle full speed disk encryption.

    Quote:
    There are a lot of PC users not familiar with the requirements of building a NAS, especially running Linux.


    This makes no sense. The one's who would be spending $600+ for a "NAS" are either professional IT guys and thus would be capable of running their own system, or are iLife heads who think its "cool" to have something like this. These are not some $200 USD grandmother devices, nor are they set-top devices like a WDTV Live, their full up servers hosting an exported file system. Who in the world would be buying these that wouldn't be better served on their own? A power user would be better off building their own feature rich device, especially when it comes to backups and security. A home user wouldn't be using this and would instead use a large USB drive. An enterprise user would be laughing at all of you and using their own solution.
  • 0 Hide
    x3style , May 20, 2011 11:31 AM
    und3rsc0reYou guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.

    A little more in-depth knowledge about encryption would let you know that encrypting uses CPU power hence why accelerating the storage trough-put would change nothing in the processing bottleneck.
    Your car doesn't get more HP by putting bigger tires, for that you need some engine tweaking.
  • 0 Hide
    Anonymous , May 21, 2011 10:07 AM
    I use DNLA to stream media to my Samsung tv. What if I was to use a NAS with encryption. Would that work?.
  • 0 Hide
    Anonymous , May 22, 2011 7:31 PM
    I think it will resolve itself by a market -- this "NAS" are just overpriced, otherwise it's normal low-end solution for lazy user. I am also quit lazy, but after one experience with Buffalo Terastation I prefer to use MediaSonic enclosure connected to my server, similarly as other user adviced...
    When it will be 800$ including 4x 3TB HDDs, than it will make a bit sense. Now it's a normal rip-off, which is actually quit normal and respected business nowadays.
    If you look on a typical supemarket shelves, you can easy see that most products are even not intended to be usefull not for consumer but just designed to make a money for seller. Normally cinsumer doesn't like to buy this goods and that is why there exist multi-billion dollar marketing industry, to make you buy different "brand" trash...
    In IT you can at least test yourself...
    So just decide yourself, not trust ads at all and make some research before buying -- and you will be reasonably safe to get what you need, not what is marketed...
  • 0 Hide
    palladin9479 , May 23, 2011 3:58 AM
    Quote:
    I think it will resolve itself by a market -- this "NAS" are just overpriced, otherwise it's normal low-end solution for lazy user. I am also quit lazy, but after one experience with Buffalo Terastation I prefer to use MediaSonic enclosure connected to my server, similarly as other user adviced...
    When it will be 800$ including 4x 3TB HDDs, than it will make a bit sense. Now it's a normal rip-off, which is actually quit normal and respected business nowadays.
    If you look on a typical supemarket shelves, you can easy see that most products are even not intended to be usefull not for consumer but just designed to make a money for seller. Normally cinsumer doesn't like to buy this goods and that is why there exist multi-billion dollar marketing industry, to make you buy different "brand" trash...
    In IT you can at least test yourself...
    So just decide yourself, not trust ads at all and make some research before buying -- and you will be reasonably safe to get what you need, not what is marketed...



    Well if they could offer the NAS solution at $200~$250 without drives then that would be acceptable I think. You can get a home SOHO router device that supports USB "file share" for under $100 USD, and honestly this is ~all~ you need for a NAS device. Take the system board, remove the wireless components / routing interfaces, put in a SATA system with an eSATA / USB connector and 2~4 bays for drives. That would be marketable and be within the range of the average home user that doesn't have time / ability to manage their own server. This $600+ cost of drives for what is a non-managed file server ... its just too much for the SOHO world.
  • 0 Hide
    g00ey , May 23, 2011 11:14 AM
    But what if you use a proper quad-core computer with lots of RAM as a NAS running Solaris/OpenIndiana? Then the encryption shouldn't be much of a performance issue.
Display more comments