0

my company is trying offer a sftp service for a big amount of customers. The serving machine will be on a VM and tests have shown that, with an increasing amount of simultaneous users, the cpu becomes heavily utilized solely by doing the connection encryption.

Is there a known way to tackle this problem. Maybe with something like externalizing the encyrption operations on actual hardware.

I'd love to hear your suggestions.

Thank you very much.

PhilippN
  • 63
  • 1
  • 3
  • use ftps which is lighter but does not offer the exact same capabilities. – Kiwy Mar 21 '14 at 15:23
  • What virtualization? Basically I would assume you have an offload problem ersulting in the VM doing the cryptographic processing. – TomTom Mar 21 '14 at 15:28
  • we are using VMWare vCenter – PhilippN Mar 21 '14 at 15:30
  • Kiwy: I don’t see why using FTPS (FTP with TLS) would be “lighter.” TLS uses similar mechanisms to encrypt bulk data with well-known ciphers like AES, 3DES, etc., and will have similar performance characteristics (implementation differences aside). – Richard E. Silverman Mar 22 '14 at 22:53
  • Have you tried adjusting the SSH encryption and MAC algorithms for a better security/performance tradeoff? What SSH server are you using? Which algorithms are you currently offering? Which ones are actually being negotiated by the clients? – Richard E. Silverman Mar 22 '14 at 22:54
  • Have you done the same tests without encryption, to rule out a different problem? How are you determining it's the encryption doing it, and not for example a slow disk. – devicenull Mar 24 '14 at 00:36

0 Answers0