← Back to team overview

maria-discuss team mailing list archive

Re: Data At Rest Encryption Overhead


Hi, Michael!

On May 08, Michael Caplan wrote:
> Hello,
> I'm working on a plan to roll out MariaDB per table data at rest 
> encryption.  Reading through the docs 
> (https://mariadb.com/kb/en/data-at-rest-encryption-overview/), I 
> understand that "Using encryption has an overhead of roughly 3-5%." I'd 
> like to know what this 3-4% refers to.  I am assuming this is a penalty 
> related to transactions a second (as the referenced blog post discusses: 
> https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariadb-10-1/).
> I am hoping I can access the MariaDB community brain trust to understand 
> the overhead of deploying encryption as related to:
> * Disk:  what overhead can I plan around for disk space?

Should be none, basically.
Binary logs will have one more event, it's 36 bytes (iirc).
So, that's your disk overhead  - 36 bytes per binlog file.

> * Scale considerations:  in my environment I am looking at encrypting 
> around 100,000 smaller tables (spread out over numerous databases).  
> With the tables being encrypted, will they be decrypted and encrypted on 
> demand (as opposed to being "decrypted" on startup)?

tables aren't decrtypted as a whole, the block of data that the server
is reading will be decrypted on read. if you select one row out of
multigigabyte table, only a bit more than that one row will be decrypted.

> * Index query performance: does encryption have an effect on how 
> indexes are utilized that I would need to plan against?


> Are there other factors that others consider when deploying data at
> rest encryption?

Initial encryption of your 100,000 tables. If you aren't running ALTER
TABLE ECNRYPTED=YES per table, then you'll probably enable encryption
server-wide and enable background encryption threads, and you'll watch
corresponding information schema tables to know when all your tables are
encrypted. You can use the server normally meanwhile.

Key management. Where you'll store them, how you'll protect them, how
the server will get them, etc.

VP of MariaDB Server Engineering
and security@xxxxxxxxxxx