Array Setup and Networking
1745795 Members
3804 Online
108722 Solutions
New Discussion

NimbleOS upgrade with encrypted volumes

 
SOLVED
Go to solution
pbaz31
New Member

NimbleOS upgrade with encrypted volumes

We are looking to enable encryption and want to use secure boot mode.

We have a CS220 with dual controllers running 2.3.14.0.

I've read around a bit...

Nimble Storage InfoSight

Nimble OS 2.3 – Implementing SmartSecure Encryption at Rest

http://www.smartstack.co.uk/wp-content/uploads/2016/03/wp-nimble-storage-smartsecure-encryption.pdf

I understand that if we power off the array we will need to enter the passphrase to bring the encrypted volumes online.

My question is... does the restart of a controller during a NimbleOS upgrade also required the passphrase to be input? My initial thought was no, but couldn't see this documented anywhere.

If I've missed a document please point me in the right direction.

Thanks in advance

4 REPLIES 4
Nick_Dyer
Honored Contributor
Solution

Re: NimbleOS upgrade with encrypted volumes

Hey Paul,

I don't believe this would be the case, as a firmware upgrade is a live process with controllers rebooting only during their standby process. Because of this, the array is never offline and thus would never require the passphrase to re-enter for allowing the volumes back online - as they never went offline in the first place.

Be wary of the significant performance overhead that could be seen on the CS200 platform. Depending on how hard your pushing the controllers right now, enabling encryption on volumes to negatively impact CPU performance as there's no AES encryption offload engine built into the CPU.

Nick Dyer
twitter: @nick_dyer_
pbaz31
New Member

Re: NimbleOS upgrade with encrypted volumes

Hi Nick,

Thanks, that makes sense. I think a note in the update software section of the admin guide would have put my mind at ease, maybe if a Nimble employee if reading they could put this forward?

As for the CPU, we are aware of this. We use the arrays for hosting VMs so our plan is to gradually migrate them and monitor the CPU to determine if it will cause us issues.

Thanks again for the response.

randombuffalo109
New Member

Re: NimbleOS upgrade with encrypted volumes

Nick,

Would this performance impact only be during the initial encryption and data migration or it is an ongoing operational need for that overhead?  Looking at enabling encryption on our CS215's and curious if we should expect a performance hit.  Also can you replicate an array with available mode to an array that has secure mode enabled and/or vice versa?

Thanks!

Nick_Dyer
Honored Contributor

Re: NimbleOS upgrade with encrypted volumes

Hi Keith,

The performance overhead of encryption will be for every volume that will have encryption enabled - especially on a CS2xx as it has no offload engine for the process - as every new write IO entering the system will need to use the CPU for key generation, management and encryption of the IO prior to it being compressed.

CS2xx systems can see upwards of 30% performance overhead as there's no offload engine on the CPU. If encryption is a requirement for a lot of volumes it may be prudent to look at upgrading the controllers to CS300s, as there's a built in AES offload engine on those CPUs and can expect very little overhead.

Good question re replicating an array in available mode to an array with secure mode. I believe the answer would be yes, as the data itself is still encrypted but you would need to enter the passphrase for bringing the volumes online on the DR site.

Nick Dyer
twitter: @nick_dyer_