We have a SQLA 17.0.04.2100 database that is currently running whole database AES128 encryption, as AES256 encryption was not available in SQLA10 and we did not change this setting to AES256 when upgrading (via mandatory reload) from SQLA10 to SQLA17. Therefore, as the title says, are there any significant performance implications to be aware of if we now reload the database specifying AES256? I assume that the main performance hit for encryption was going from no encryption to AES128 in the first place? Does AES256 have any additional overhead that is likely to noticeably affect performance over AES128?

Please note that we only have very small test databases, so we are unable to test this fully without trying it on an actual customer database that can by many GB in size. Basically, is there anything we should be aware of in advance of approaching a customer to do this?

asked 30 Aug, 14:02

robertwigley's gravatar image

robertwigley
2315819
accept rate: 75%

edited 30 Aug, 14:42

2

I don't know the answer :)
According to different benchmarks AES 256 is not significantly slower than AES 128. I assume SA devs haven't implemented the encryption algorithm, but deligated this task to OpenSSL (or whatever library being used in SA17).
I guess when people turn on the stronger encryption algoritm, they know that there are performance penalties.
Probably for every single disk operation (read/write). If the data in server cache is also encrypted, then the SQL statements should become slower as well.
I'd better tell: if you can identify performance issues, somebody should start analyzing it (read execution plans, for instance). If you want to know how slow will the DB be after the stronger encryption is applied, I would say - it depends.

(31 Aug, 07:23) Vlad
2

Can't tell on AES128 vs. AES256, but here are two hints:

  • This older FAQ with a rule-of-thumb guideline by Sybase, related to SQL Anywhere 10 and AES128 - I guess the according whitepaper is no longer available, at least I could not find it in SAP land...

  • The property "IsAesniAvailable" might tell whether the according encryption is supported by the CPU.

Of course, as Vlad has told, some tests with your data set and usual workload will tell about your situation:)

(31 Aug, 16:16) Volker Barth
Replies hidden
1

I am still wondering, whether SA encrypts its cache, or not.

(01 Sep, 03:50) Vlad
2

I don't know for sure, but note the following statement, taken from the doc topic "Tip: Use the cache to improve performance":

Encrypted databases must have sufficient cache to minimize I/O operations because these operations are more expensive on encrypted databases than on unencrypted databases since encryption and/or decryption must be performed for each operation.

and from "Performance issues when using encryption":

Performance is slower when the database is encrypted. The performance impact depends on how often pages are read from or written to disk, and can be minimized by ensuring that the server is using an adequate cache size.

So I would guess the answer is no.

(02 Sep, 06:16) Volker Barth

Ok, thank you Volker. I appreciate your help.

I was simply thinking about the potential security misses. E.g. if the cache is not encrypted, it is possible to dump the process and read something from it.

(02 Sep, 07:18) Vlad

I'm afraid I have no performance data w.r.t AES256 vs. AES128. We've never done any such testing so I can't answer that question.

However, the question that came up in the comments about the cache being encrypted - cache pages in memory are not encrypted but cache pages written to the temporary file are encrypted.

permanent link

answered 05 Sep, 10:37

Graeme%20Perrow's gravatar image

Graeme Perrow
8.7k374112
accept rate: 51%

So basically disk I/O is encrypted/decrypted, protecting file access, correct?

(05 Sep, 12:48) Volker Barth
Replies hidden

That is correct.

(05 Sep, 13:02) Graeme Perrow
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×91
×34

question asked: 30 Aug, 14:02

question was seen: 141 times

last updated: 05 Sep, 13:02