maria-discuss team mailing list archive

Thread
Date

Re: Data At Rest Encryption Overhead

To: Michael Caplan <michael@xxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sat, 9 May 2020 12:25:20 +0200
Cc: Maria Discuss <maria-discuss@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <bcce1fc3-11ec-621c-6287-1579cbf8ffe0@mompopmedia.com>

Hi, Michael!

On May 08, Michael Caplan wrote:
> Hello,
> 
> I'm working on a plan to roll out MariaDB per table data at rest 
> encryption.  Reading through the docs 
> (https://mariadb.com/kb/en/data-at-rest-encryption-overview/), I 
> understand that "Using encryption has an overhead of roughly 3-5%." I'd 
> like to know what this 3-4% refers to.  I am assuming this is a penalty 
> related to transactions a second (as the referenced blog post discusses: 
> https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariadb-10-1/).
> 
> I am hoping I can access the MariaDB community brain trust to understand 
> the overhead of deploying encryption as related to:
> 
> * Disk:  what overhead can I plan around for disk space?

Should be none, basically.
Binary logs will have one more event, it's 36 bytes (iirc).
So, that's your disk overhead  - 36 bytes per binlog file.

> * Scale considerations:  in my environment I am looking at encrypting 
> around 100,000 smaller tables (spread out over numerous databases).  
> With the tables being encrypted, will they be decrypted and encrypted on 
> demand (as opposed to being "decrypted" on startup)?

tables aren't decrtypted as a whole, the block of data that the server
is reading will be decrypted on read. if you select one row out of
multigigabyte table, only a bit more than that one row will be decrypted.

> * Index query performance: does encryption have an effect on how 
> indexes are utilized that I would need to plan against?

No

> Are there other factors that others consider when deploying data at
> rest encryption?

Initial encryption of your 100,000 tables. If you aren't running ALTER
TABLE ECNRYPTED=YES per table, then you'll probably enable encryption
server-wide and enable background encryption threads, and you'll watch
corresponding information schema tables to know when all your tables are
encrypted. You can use the server normally meanwhile.

Key management. Where you'll store them, how you'll protect them, how
the server will get them, etc.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

References

Data At Rest Encryption Overhead
From: Michael Caplan, 2020-05-08