Is Data Encryption Worth Destroying Your NAS' Performance?

Qnap TS-459 Pro

The Qnap TS-459 Pro also comes with a dual-core Intel Atom D510 CPU, 1 GB DDR2-RAM, iSCSI functionality, and four hard drive bays that can be used in the RAID modes 0, 1, 5, and 6. The NAS device offers good sequential data transfer rates of about 100 MB/s under normal operation, depending a bit on the RAID mode.

Encryption: Password or Key File

Just like the Thecus device, Qnap also uses partition-level encryption using standard tools like Linux dm-crypt and cryptsetup. You do not have to rely on the command prompt to set it up though, as this can be done easily via the Web-based interface. You cannot enable encryption for existing RAID partitions; it has to be done at the time of creation.

The setup process is rather similar to activating encryption on the Thecus NAS.

You have to activate the encryption feature and select a password when creating a RAID array with encryption enabled. The option “Save Encryption Key” saves the password on the NAS device, which means that the encrypted partition will be automatically opened and integrated into the system configuration after rebooting. Anyone who recognizes the potential vulnerability in this can disable the option and instead unlock the encrypted partition by entering the password manually in the Web administration interface after rebooting the NAS.

The Qnap NAS device requires a password between eight and sixteen characters.

We also get the usual warning that confirming the action will erase all data on the hard drives.

After the encrypted RAID array has been created, changes to the encryption configuration can be made through the menu item “Encrypted File System.” It is possible to delete a stored key from the configuration or to change the password of an encrypted RAID array.

If the encryption password is not saved, it must be input manually via the Web interface, or you can use a key file instead.

Marcel Binder
  • und3rsc0re
    You guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.
  • compton
    What about a Core i5 or better based server? You could turn an i5 with aes-ni into a cheap server for the same price as these diskless enclosures. Couldn't it be turned into a Linux based NAS with hardware encryption? I'm not hip to all of the issues, but that was my first thought.
  • rhangman
    What about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.
  • maybe you could test the other nas´too,121.html
    already has a performance overview so just add encryption test
  • huron
    I like what you guys are doing here at Toms...very interesting article. Any chance you guys can get your hands on a better processor to see what the results would be - I know how resource heavy encryption/decryption can be, and worry these don't really have enough horsepower to handle the job well.

    Continue this as a series with better CPUs?
  • bwcbwc
    The implication for all of these devices is that the data is encrypted/decrypted within the device, which in turn means that the data is transmitted over the network in unencrypted form.

    The risk of a packet sniffer on the LAN seems a lot higher than someone walking out the door with your NAS array (or a piece of it), so I think you need to weigh your priorities when you choose this type of solution. If you are ready to address the physical security of data on a network attached drive, you should already have taken steps to ensure the security of the data during transmission.
  • freggo
    What if one where to use TrueCrypt partitions on these servers instead ?
    I tested it extensively first and use it now for 2 years on my regular drives, hardly a 'noticable' performance hit compared to the unencrypted drives in the PC and 'zero' errors or problems so far.

  • Prey
    In a commercial environment, especially medical, hell yes! Go to the HITECH Act and see the breach list over 500 due to unencrypted files that are stolen or lost.

    It shouldn't be a performance issue, but more a, is it worth the risk issue.
  • Niva
    Definitely a good article, I'd been thinking about buying the Thecus. Tests with TrueCrypt would be appreciated since that's my tool of choice.
  • tacoslave
    was i the only one thinking of sony?