[Maria-discuss] Data At Rest Encryption Overhead
Hello, I'm working on a plan to roll out MariaDB per table data at rest encryption. Reading through the docs (https://mariadb.com/kb/en/data-at-rest-encryption-overview/), I understand that "Using encryption has an overhead of roughly 3-5%." I'd like to know what this 3-4% refers to. I am assuming this is a penalty related to transactions a second (as the referenced blog post discusses: https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariad...). I am hoping I can access the MariaDB community brain trust to understand the overhead of deploying encryption as related to: * Disk: what overhead can I plan around for disk space? * Scale considerations: in my environment I am looking at encrypting around 100,000 smaller tables (spread out over numerous databases). With the tables being encrypted, will they be decrypted and encrypted on demand (as opposed to being "decrypted" on startup)? * Index query performance: does encryption have an effect on how indexes are utilized that I would need to plan against? Are there other factors that others consider when deploying data at rest encryption? Best, Mike
Hi, Michael! On May 08, Michael Caplan wrote:
Hello,
I'm working on a plan to roll out MariaDB per table data at rest encryption. Reading through the docs (https://mariadb.com/kb/en/data-at-rest-encryption-overview/), I understand that "Using encryption has an overhead of roughly 3-5%." I'd like to know what this 3-4% refers to. I am assuming this is a penalty related to transactions a second (as the referenced blog post discusses: https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariad...).
I am hoping I can access the MariaDB community brain trust to understand the overhead of deploying encryption as related to:
* Disk: what overhead can I plan around for disk space?
Should be none, basically. Binary logs will have one more event, it's 36 bytes (iirc). So, that's your disk overhead - 36 bytes per binlog file.
* Scale considerations: in my environment I am looking at encrypting around 100,000 smaller tables (spread out over numerous databases). With the tables being encrypted, will they be decrypted and encrypted on demand (as opposed to being "decrypted" on startup)?
tables aren't decrtypted as a whole, the block of data that the server is reading will be decrypted on read. if you select one row out of multigigabyte table, only a bit more than that one row will be decrypted.
* Index query performance: does encryption have an effect on how indexes are utilized that I would need to plan against?
No
Are there other factors that others consider when deploying data at rest encryption?
Initial encryption of your 100,000 tables. If you aren't running ALTER TABLE ECNRYPTED=YES per table, then you'll probably enable encryption server-wide and enable background encryption threads, and you'll watch corresponding information schema tables to know when all your tables are encrypted. You can use the server normally meanwhile. Key management. Where you'll store them, how you'll protect them, how the server will get them, etc. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
participants (2)
-
Michael Caplan -
Sergei Golubchik