4 Replies Latest reply: May 12, 2016 8:55 AM by Nick Dyer RSS

    NimbleOS upgrade with encrypted volumes

    Paul Barrett Newbie

      We are looking to enable encryption and want to use secure boot mode.

      We have a CS220 with dual controllers running 2.3.14.0.

       

      I've read around a bit...

      Nimble Storage InfoSight

      Nimble OS 2.3 – Implementing SmartSecure Encryption at Rest

      http://www.smartstack.co.uk/wp-content/uploads/2016/03/wp-nimble-storage-smartsecure-encryption.pdf

       

      I understand that if we power off the array we will need to enter the passphrase to bring the encrypted volumes online.

       

      My question is... does the restart of a controller during a NimbleOS upgrade also required the passphrase to be input? My initial thought was no, but couldn't see this documented anywhere.

      If I've missed a document please point me in the right direction.

       

      Thanks in advance

        • Re: NimbleOS upgrade with encrypted volumes
          Nick Dyer Pioneer

          Hey Paul,

           

          I don't believe this would be the case, as a firmware upgrade is a live process with controllers rebooting only during their standby process. Because of this, the array is never offline and thus would never require the passphrase to re-enter for allowing the volumes back online - as they never went offline in the first place.

           

          Be wary of the significant performance overhead that could be seen on the CS200 platform. Depending on how hard your pushing the controllers right now, enabling encryption on volumes to negatively impact CPU performance as there's no AES encryption offload engine built into the CPU.

            • Re: NimbleOS upgrade with encrypted volumes
              Paul Barrett Newbie

              Hi Nick,

               

              Thanks, that makes sense. I think a note in the update software section of the admin guide would have put my mind at ease, maybe if a Nimble employee if reading they could put this forward?

               

              As for the CPU, we are aware of this. We use the arrays for hosting VMs so our plan is to gradually migrate them and monitor the CPU to determine if it will cause us issues.

               

              Thanks again for the response.

              • Re: NimbleOS upgrade with encrypted volumes
                Keith Ritter Newbie

                Nick,

                 

                Would this performance impact only be during the initial encryption and data migration or it is an ongoing operational need for that overhead?  Looking at enabling encryption on our CS215's and curious if we should expect a performance hit.  Also can you replicate an array with available mode to an array that has secure mode enabled and/or vice versa?

                 

                Thanks!

                  • Re: NimbleOS upgrade with encrypted volumes
                    Nick Dyer Pioneer

                    Hi Keith,

                     

                    The performance overhead of encryption will be for every volume that will have encryption enabled - especially on a CS2xx as it has no offload engine for the process - as every new write IO entering the system will need to use the CPU for key generation, management and encryption of the IO prior to it being compressed.

                     

                    CS2xx systems can see upwards of 30% performance overhead as there's no offload engine on the CPU. If encryption is a requirement for a lot of volumes it may be prudent to look at upgrading the controllers to CS300s, as there's a built in AES offload engine on those CPUs and can expect very little overhead.

                     

                    Good question re replicating an array in available mode to an array with secure mode. I believe the answer would be yes, as the data itself is still encrypted but you would need to enter the passphrase for bringing the volumes online on the DR site.