1

I've been investigating hardware cryptographic accelerators, and have come up against a dizzying array of possibilities. There are boards that range from $20 to $10,000 - and CPUs that have cryptographic accelerators builtin (several VIA chips on the one hand and the IBM zSystem on the other, for example). There are boards specialized for use in firewalls (like Checkpoint) and even full-blown servers designed for offloading cryptographic processing (like the SonicWall SSL R.

Then there are at least two different cryptographic APIs for Linux, the "standard" or "original" and the OpenBSD Cryptographic Framework (OCF).

None of this exactly answers my question - which is something like this: What is the best supported cryptographic accelerator (for disk or file encryption) supported by a standard Ubuntu 10.04.2 LTS Server installation?

This means no patches and no backports.

To add even more complexity, this would be used to encrypt a MySQL database during use. Using MySQL cryptography has been discounted: as I understand it, it complicates the use of indexes and so forth.

Going with encrypting disks is possible, but it would be expensive as there are multiple disks combined in a RAID5 configuration for this purpose.

Can someone help straighten this mess out? I'd be forever grateful...

Mei
  • 4,590
  • 8
  • 45
  • 53
  • Have you looked at LVM encryption? It's been supported in the Ubuntu installer since about 2007. – Andrew Feb 25 '11 at 02:22
  • @Andrew: Interesting! Didn't know about that. Does LVM encryption support hardware acceleration? – Mei Feb 25 '11 at 16:23

1 Answers1

2

First of all, I think that you need to figure out where you want to do your crypto - application or database or disk? Once you figure that one out, there are far fewer choices to consider.

There are pros and cons to each and the only one who can figure out which one fits best within your company is you.

Depending on which layer, different people actually become responsible for the crypto - sys-admins, app-devs or db-admins. Performance wise, a lot depends on how you set things up, even for the db-layer crypto, it may not be as complicated as some people think.

sybreon
  • 7,405
  • 1
  • 21
  • 20
  • This is a small environment. I'm both DBA and SA - and there is no official App Administrator either. The goal is to encrypt the database data on disk with as low a performance penalty as possible. – Mei Feb 25 '11 at 16:22
  • I should note that for a large environment, the responsibility for the crypto layer can be quite important. Who becomes responsible and what effect that has on the system as a whole needs to be considered. However, our environment is not one such environment... – Mei Feb 25 '11 at 16:49
  • Not sure but how about this - full disk encryption on a ram-disk storing the MySQL database? That said, VIA PadLock drivers are built-in for Linux and they can be used to accelerate AES - used by default for full-disk LVM encryption. – sybreon Feb 27 '11 at 13:23
  • The system is an enterprise server, so VIA PadLock is out. The system is a Xeon system, so there you go. – Mei Mar 16 '11 at 14:55