Getting a Free Lunch with Encryption

Getting a Free Lunch with Encryption

As people rely more and more on digital communication and services, cyber security has become a critical consideration for individual users and businesses alike. There are many data encryption solutions out there, but not all are optimized for performance and resource management.  KIOXIA has a new paper focused on the dramatic performance improvements and CPU utilization reductions that can be realized when using KIOXIA Self-Encrypting Drives (SED) compared to software encryption. Testing of KIOXIA SED SSDs against software encryption solutions has demonstrated that KIOXIA SED SSDs are clearly the superior data encryption solution, based on performance and CPU utilization.

Data encryption, or the secure scrambling of user data so that it is unreadable to unauthorized parties, is available to us in almost every part of our digital lives – from application-based implementations such as one of many widely available secure messaging applications or secure web transport protocols to full traffic encryption through a VPN service.  These types of encryption protect data in flight from being accessed by 3rd parties – between a personal device (smart phone, laptop, etc.) and the destination server (website, email, or application back-end server). In order to ensure end to end data security for the most sensitive user data, encryption needs to be deployed on the destination servers as well.

Encryption of user data at rest that resides on a server has always been a trade-off between performance expectation and infrastructure cost. Encryption of data at rest means that every single LBA, every sector of user data must be encrypted when it is written to the physical media and actively decrypted by the system when it must be read or modified, taking up valuable system compute and memory resources. There are many proprietary and open source software solutions available to encrypt data at rest, and although each implementation has specific differences, at a high level they all function similarly – the software acts as an additional layer between the user and the hardware, and all encrypted I/O is funneled through it. These solutions actively use the host’s CPU and memory resources to encrypt and decrypt data as it is needed. Solutions like this are widely available and easy to deploy, but create a huge performance bottleneck as data set size and users increase. Simply put, this type of solution does not scale.

“There is no such thing as a free lunch” is something you may have heard in your economics class, and it applies to data encryption as well. If data-at-rest is encrypted, in order to access it you will need to read the encrypted data, read the encryption key, decrypt the data, make it available to the user, then repeat this process in reverse to write the data to your physical media. This all takes a significant number of compute cycles – there’s no two ways around it.

The KIOXIA solution to this problem is to offer integrated encryption engines within our SSDs to distribute the compute requirement across each individual storage device and completely offload the burden of data encryption from the host’s resources. Our SSDs that are enabled with SED (Self Encrypting Drive) technology feature a highly specialized encryption engine that automatically encrypts and decrypts data to the highest current security cipher standard, AES-256-XTS, with virtually no impact to I/O performance or host resources. In this model, the host system must only be concerned with the secure authentication between the SSD and the host itself – this is managed through the robust TCG-Opal v2.01 feature-set. This deployment model allows the compute requirements of encryption to be spread across many devices connected to a single host – effectively removing all performance penalties associated with data encryption at rest.

In practice, this deployment model for encryption has astonishing performance and resource utilization benefits when compared to software encryption. In our testing1, performance was improved up to 490% in read workloads while CPU utilization was reduced by 98% in write workloads. There shouldn’t be a second thought when it comes to managing data encryption of large datasets – KIOXIA SED SSDs are the superior solution.

For more information, please see KIOXIA’s SSD Security and Encryption site, located here:

1: Based on KIOXIA internal testing.

Availability of security/encryption options may vary by region.

Read and write speed may vary depending on the device used and file size read or written.

*All company names, product names and service names may be trademarks of their respective companies.

The views and opinions expressed in this blog are those of the author(s) and do not necessarily reflect those of KIOXIA America, Inc.

Comments are closed