Encryption off = better performance?

New to OpenZFS on OS X (Or ZFS in general)? Ask your questions here!

Encryption off = better performance?

Postby photonclock » Sat Oct 05, 2019 6:30 pm

Is there a substantial/worthwhile performance gain by disabling encryption?

If a pool is created with:
Code: Select all
sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O normalization=formD RAID_Z3 raidz3 disk11 disk12 disk13 disk14 disk15 disk16 disk17 disk19 disk20 disk21 disk22

...then is encryption on by default?

If encryption is on, and the pool is imported/mounted, can I do this without ill effect?
Code: Select all
zpool set feature@encryption=disabled RAID_Z3
zpool set feature@encryption=enabled RAID_Z3


What are the consequences (or possibilities) of enabling/disabling decryption after a pool is created and data is already on the volume?
photonclock
 
Posts: 11
Joined: Sat Oct 05, 2019 2:40 pm

Re: Encryption off = better performance?

Postby lundman » Sun Oct 06, 2019 5:27 pm

Default is that metadata is compressed, but your data is not. If you set lz4 then it will use lz4 on both data and metadata.

Very often compression will give you better performance due to small/less frequent IO required, and CPUs are pretty decent these days. But it
isn't very hard to find situations where the opposite is true. Even if you same mpeg files, which can not be compressed, lz4 will skip over the file data, but
keep compressing the metadata. Generally, it is a good thing to enable compression - but you could check for your specific data.

Code: Select all
zpool set feature@encryption=disabled RAID_Z3
zpool set feature@encryption=enabled RAID_Z3


These calls talk about the pool feature, and is not how you change the compression type, and will do nothing if compression is not on.

Code: Select all
zfs set compression=lz4 RAID_Z3


Will enable compression for the root dataset of the pool (and if you use inherit, lz4 for all lower dataset, unless specifically set to something
different).

Note that enabling compression (setting lz4) will NOT recompress everything on disk already. They will remain in whatever state that they are in.
Only NEW data will use the compression setting. So writing a new file, will then be lz4 compressed. This is also true when you
disable compression, any files with lz4 will remain compressed, and only new data will be uncompressed.

If you bench mark, create new dataset, set the compression level, then populate data for testing.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Encryption off = better performance?

Postby photonclock » Mon Oct 07, 2019 3:17 pm

Sorry, I'm confused by your reply. My question was regarding encryption, but you responded with info about compression. ?

edit: also, re compression - the video data I am working with is mostly incompressible so I do not want that feature enabled either. Performance, stability, and ZFS redundancy are my primary goals.
photonclock
 
Posts: 11
Joined: Sat Oct 05, 2019 2:40 pm

Re: Encryption off = better performance?

Postby lundman » Mon Oct 07, 2019 3:50 pm

Crikey - you are right, I went down the wrong path there!

In your zpool create example, there is no encryption. You would need to supply "-O encryption=on" if you want it on for the pool, and inherited by all lower datasets.

You control encryption settings per dataset, with zfs create -o encryption=on/off. Note you can only set it when
you create a dataset, not once it exists.

The "zpool set feature@encryption" is generally not something you directly change. It will be set to enabled, when you create a dataset with encryption=on.

You can not disable encryption on an existing dataset. You can create a new dataset with encryption=off, then copy data over.

Personally, I prefer to create the pool unencrypted, then create a -o encryption=on pool/secure - and all datasets under secure (should you want to create more datasets) are all encrypted, but the root dataset is not.
But that really is just a personal preference. I don't remember if we are allowed to create an unencrypted dataset under an encrypted root - so maybe if you do make the pool be encrypted from the top, you can not have plain datasets. But
there was a ZOL ticket about allowing it. But I set it up this way, so I can have full-speed on data that needs not be secure, since there is some penalty using encryption.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Encryption off = better performance?

Postby photonclock » Mon Oct 07, 2019 5:23 pm

lundman wrote:Personally, I prefer to create the pool unencrypted, then create a -o encryption=on pool/secure - and all datasets under secure (should you want to create more datasets) are all encrypted, but the root dataset is not.


Yes, that's precisely the workflow I'm aiming for - an unencrypted pool that I could clone as an encrypted pool.

That leads me to another question that I'm trying to grasp: dataset vs pool.

When I do something like:

sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O normalization=formD RAID_Z3 raidz3 disk11 disk12 disk13 disk14 disk15 disk16 disk17 disk19 disk20 disk21 disk22

Is that actually creating both a pool and a default dataset?

Should I think of a dataset as a child of pool? ie, pool > dataset > snapshot ?

Could you show me a syntax example for a workflow along these lines:

Make pool_A (raidz2 or z3 per above) encryption=disabled
Make pool_B (mirror) encryption=disabled (probably just 1 or 2 disks in this, to be used as a shuttle or separate nearline storage pod)
Make an encrypted dataset within pool_B
Clone pool_A to pool_B
Make pool_B read only

And then, ideally, I hope to be able to mount pool_B on either Mac or FreeNAS.
photonclock
 
Posts: 11
Joined: Sat Oct 05, 2019 2:40 pm

Re: Encryption off = better performance?

Postby lundman » Tue Oct 08, 2019 4:04 pm

Yes, basically a "zpool create" will indeed create the pool, but a pool without a dataset is pretty useless, so it will also create the root dataset, with the same name.

Code: Select all
Create unencrypted pool:
$ sudo bash
# zpool create -f -o ashift=12 -O casesensitivity=insensitive -O normalization=formD -O atime=off -O compression=lz4 RAID_Z3 raidz3 disk11 disk12 disk13 disk14 disk15 disk16 disk17 disk19 disk20 disk21 disk22

Convert to invariantdisk device names.
# zpool export RAID_Z3
# zpool import RAID_Z3

Create mirror pool
# zpool create -f -o ashift=12 -O casesensitivity=insensitive -O normalization=formD -O atime=off -O compression=lz4 tank mirror disk23 disk24

Create encrypted dataset
# zfs create -o encryption=aes-256-ccm -o keyformat=passphrase tank/secure

Snapshot dataset to send
# zfs snapshot RAID_Z3@send

Send snapshot
# zfs send -v RAID_Z3@send | zfs recv -o readonly=on tank/secure/from_RAID_Z3

Send incremental
# zfs snapshot RAID_Z3@send_newer
# zfs send -v -i RAID_Z3@send RAID_Z3@send_newer | zfs recv -o readonly=on tank/secure/from_RAID_Z3



That's all from memory alas, if some of it doesn't work, I can refine it after booting the VM :)
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan


Return to Absolute Beginners Section

Who is online

Users browsing this forum: No registered users and 12 guests