Is Data Encryption Worth Destroying Your NAS' Performance?

Atom D510 And Encryption

Once you start getting into higher-end networked storage devices for SMBs, you often see value-added features like the ability to encrypt stored data to improve security. There are different ways to achieve this, which depend on the vendor. Some employ encryption at the partition level, while others encrypt at the file level.

Since these features generate a lot of interest from professional users concerned about protecting sensitive information, we decided to take a closer look at the encryption capabilities of several NAS devices: the TS-459 Pro by Qnap, Synology’s DS1010+ Synology, and Thecus' N4200.

Acceleration Through a Dedicated Cryptography Unit?

The NAS devices in this roundup all use the symmetric-key encryption AES (Advanced Encryption Standard) with a key length of 256 bits. The encryption standard is generally considered very safe and is used industry-wide, as well as by authorities in various fields (it is approved by the U.S. government for encrypting documents, for example). It is not uncommon for USB flash drives or hard drives to employ AES, and because of the high computational cost of data encryption, these often come with dedicated encryption/decryption processors, greatly accelerating the cryptography process.

Intel’s addition AES-NI to its 32 nm Clarkdale-based Core i5 desktop CPUs, six-core Gulftown processors, and second-gen Core i5 and Core i7 chips impressively demonstrates how much dedicated acceleration hardware can increase the speed of the encryption/decryption process. More information about this can be found in the article AES-NI Performance Analyzed; Limited To 32 nm Core i5 CPUs.

Inevitable Performance Degradation Through Intel’s Atom?

Unfortunately, none of the tested devices from Synology, Thecus, or Qnap have a dedicated hardware cryptography unit for encrypting/decrypting data, revealing a huge potential drawback of data encryption directly on the network storage device. As a result, if you actually plan to use encryption, that functionality must be handled by the NAS device's host processor. In all three of our test cases, that's a meager Intel Atom D510, which of course lacks the AES-NI support that'd be needed to accelerate encryption in hardware.

The dual-core Atom processor is also tasked with handling XOR operations for the NAS devices’ RAID arrays. It is partly responsible for the data transfer rates of 100 MB/s and more (in gigabit Ethernet networks). Its network performance suffers once you apply the additional demands of compute-intensive cryptographic calculations, though. Just how much network performance do you lose when you trade throughput for security? Let's find out!

Marcel Binder
  • und3rsc0re
    You guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.
    Reply
  • compton
    What about a Core i5 or better based server? You could turn an i5 with aes-ni into a cheap server for the same price as these diskless enclosures. Couldn't it be turned into a Linux based NAS with hardware encryption? I'm not hip to all of the issues, but that was my first thought.
    Reply
  • rhangman
    What about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.

    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
    Reply
  • maybe you could test the other nas´too

    http://www.tomshardware.com/charts/multi-bay-nas-charts-2011/benchmarks,121.html
    already has a performance overview so just add encryption test
    Reply
  • huron
    I like what you guys are doing here at Toms...very interesting article. Any chance you guys can get your hands on a better processor to see what the results would be - I know how resource heavy encryption/decryption can be, and worry these don't really have enough horsepower to handle the job well.

    Continue this as a series with better CPUs?
    Reply
  • bwcbwc
    The implication for all of these devices is that the data is encrypted/decrypted within the device, which in turn means that the data is transmitted over the network in unencrypted form.

    The risk of a packet sniffer on the LAN seems a lot higher than someone walking out the door with your NAS array (or a piece of it), so I think you need to weigh your priorities when you choose this type of solution. If you are ready to address the physical security of data on a network attached drive, you should already have taken steps to ensure the security of the data during transmission.
    Reply
  • freggo
    What if one where to use TrueCrypt partitions on these servers instead ?
    I tested it extensively first and use it now for 2 years on my regular drives, hardly a 'noticable' performance hit compared to the unencrypted drives in the PC and 'zero' errors or problems so far.

    Reply
  • Prey
    In a commercial environment, especially medical, hell yes! Go to the HITECH Act and see the breach list over 500 due to unencrypted files that are stolen or lost.

    It shouldn't be a performance issue, but more a, is it worth the risk issue.
    Reply
  • Niva
    Definitely a good article, I'd been thinking about buying the Thecus. Tests with TrueCrypt would be appreciated since that's my tool of choice.
    Reply
  • tacoslave
    was i the only one thinking of sony?
    Reply