Is Data Encryption Worth Destroying Your NAS' Performance?

Conclusion

The NAS servers used in this test are all designed for commercial or semi-professional environments, which to some extent is reflected in their lofty prices. The Thecus N4200 is about $670, while the Synology DS1010+ and Qnap TS-459 Pro cost a bit more.

That's quite a hefty sum to pay for a diskless enclosure that you still need to populate with storage. In many cases, that raises expectations, and you naturally assume data stored on the NAS server really is safe. Similarly, you also expect that, even if a hard drive in the server's array fails, you'll still be able to rebuild the configuration and keep that data available. All three NAS servers offer a variety of RAID modes and backup capabilities that really can prevent data loss when they're applied sensibly.

Data Loss Due To Theft

Data can, however, be lost in ways other than a drive dying. How about if a disk from a RAID 1 array gets stolen? What about the entire NAS unit (these things aren't exactly heavy)? That's not a far-fetched scenario, especially if your networked storage is installed in a high-traffic environment like a retail store or doctor’s office. It's nice that all of the NAS servers in this test can be chained down using a Kensington lock. But lightweight physical security might not be much of a challenge to a prepared thief.

Thecus and Qnap also equip their products (the N4200 and TS-459 Pro) with lockable drive trays. This means that even the bravest jerk with a well-placed screwdriver should be unable to get away with a hard drive without damaging its housing. Conversely, the hard drives in Synology's DS1010+ could even be stolen on the fly, though, since it does not have any lockable drive bays.

Encryption Protects Against Prying Eyes…

If you're going to the trouble of protected the NAS device and hard drives from physical theft, the surest way of safeguarding the data from unscrupulous eyes is to encrypt disk contents. The manufacturers make use of a tool that has been known by all die-hard Linux users for years, meaning that it is already quite common out there, and has seen a lot of use in practice. Thecus and Qnap apply their encryption to the entire partition, while Synology allows its users to encrypt only specific folders.

…At the Cost of Performance

Performance-wise, the tested products are not that different. A lack of encryption acceleration means that enabling the feature absolutely destroys performance on all three units.

The default data transfer rates of the three candidates are on a similar level in many benchmarks, although the Thecus N4200 shows slightly better results than the competition. Nevertheless, it must be said that the encryption performance leaves a lot of room for improvement. The implementation of a dedicated hardware cryptography unit would affect the data transfer rates very positively. Intel’s dual-core Atom D510 offers modest performance in everyday use, but for this type of encryption task, it is simply underwhelming, in turn affecting the data transfer rates. Maybe AES-NI has value in the embedded market; hopefully Intel has something planned there.

Use and Flexibility

When it comes to using encryption, Thecus employs the most complex implementation. In order to unlock an encrypted partition, the N4200 requires an external drive to be connected, which is then removed during operation and stored in a safe place.

Qnap’s approach to handling the encrypted partitions is also solid, and there is no reason to complain. Synology offers the most flexible single-folder encryption solution. While encryption has to be configured in advance on the NAS servers from Thecus and Qnap (which then becomes a permanent change to the partition), the encrypted database on Synology's DS1010+ can grow or shrink dynamically. The advantage here is that the most sensitive folders can be selectively encrypted without much effort, while other shared files or folders remain unaffected by the performance impact caused by the encryption. Also, existing files or folders can be encrypted at a later time, and not just when they're created.

If you are concerned about security, there is one thing that you absolutely should not do with these three NAS devices, and that is to store the password string required to decrypt the partitions or files on the NAS itself. Security always comes at the cost of some effort, but you should absolutely choose to manually enter the password to gain access to the encrypted partition or file after rebooting the NAS. That shouldn't happen very often anyway.

Marcel Binder
  • und3rsc0re
    You guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.
    Reply
  • compton
    What about a Core i5 or better based server? You could turn an i5 with aes-ni into a cheap server for the same price as these diskless enclosures. Couldn't it be turned into a Linux based NAS with hardware encryption? I'm not hip to all of the issues, but that was my first thought.
    Reply
  • rhangman
    What about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.

    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
    Reply
  • maybe you could test the other nas´too

    http://www.tomshardware.com/charts/multi-bay-nas-charts-2011/benchmarks,121.html
    already has a performance overview so just add encryption test
    Reply
  • huron
    I like what you guys are doing here at Toms...very interesting article. Any chance you guys can get your hands on a better processor to see what the results would be - I know how resource heavy encryption/decryption can be, and worry these don't really have enough horsepower to handle the job well.

    Continue this as a series with better CPUs?
    Reply
  • bwcbwc
    The implication for all of these devices is that the data is encrypted/decrypted within the device, which in turn means that the data is transmitted over the network in unencrypted form.

    The risk of a packet sniffer on the LAN seems a lot higher than someone walking out the door with your NAS array (or a piece of it), so I think you need to weigh your priorities when you choose this type of solution. If you are ready to address the physical security of data on a network attached drive, you should already have taken steps to ensure the security of the data during transmission.
    Reply
  • freggo
    What if one where to use TrueCrypt partitions on these servers instead ?
    I tested it extensively first and use it now for 2 years on my regular drives, hardly a 'noticable' performance hit compared to the unencrypted drives in the PC and 'zero' errors or problems so far.

    Reply
  • Prey
    In a commercial environment, especially medical, hell yes! Go to the HITECH Act and see the breach list over 500 due to unencrypted files that are stolen or lost.

    It shouldn't be a performance issue, but more a, is it worth the risk issue.
    Reply
  • Niva
    Definitely a good article, I'd been thinking about buying the Thecus. Tests with TrueCrypt would be appreciated since that's my tool of choice.
    Reply
  • tacoslave
    was i the only one thinking of sony?
    Reply