Software Encryption @ Rest: Enhancing and Simplifying Data Security in Lightbits Storage Clusters

Author: Abel Gordon

To read the full blog post visit www.lightbitslabs.com.

Encryption at rest is crucial for safeguarding data from unauthorized access, ensuring it remains unreadable without the appropriate decryption key, even if a storage device is lost, stolen, or improperly disposed of. Self-encrypting drives (SEDs) provide a hardware-based solution by embedding encryption technology directly into the drive. This approach encrypts data automatically as it is written and decrypts it as it is read, with minimal performance impact. SEDs also support secure, instant data erasure by deleting the encryption key. However, SEDs have limitations, including restricted support across drives, vendors, and capacities, which can complicate procurement and increase lead times. Additionally, managing encryption keys for SEDs introduces operational complexity. Moreover, SEDs are counterintuitive to software-defined storage (SDS) concepts, as they rely on hardware-based encryption, which can conflict with the flexibility SDS offers.

Software-based encryption at rest, such as solutions using dm-crypt or LUKS on Linux, removes these hardware dependencies, offering compatibility across a wide range of devices and storage configurations. These approaches enable organizations to implement encryption without relying on specific hardware vendors or models. However, dm-crypt and LUKS can introduce performance bottlenecks, particularly for systems with high I/O workloads, as encryption and decryption processes rely heavily on CPU resources. Organizations must carefully evaluate these trade-offs to select the most suitable encryption solution for their specific needs.

Lightbits Performance with Software Encryption @ Rest

As shown in the graphs below, the performance difference between encryption enabled and encryption disabled is minimal. The graphs present normalized results, where 100% represents the performance with encryption disabled. They include measurements for both 4KB and 128KB random block sizes across various read and write mix ratios.

Software Encryption at rest represents a significant step forward in data security for Lightbits users. By implementing this feature, you can ensure that your data remains secure, even against physical access attempts, without compromising performance or requiring SED drives.

If you have any questions about enabling Software-based encryption for Lightbits clusters, please refer to our documentation or reach out via email or slack channel.

To read the full blog post visit www.lightbitslabs.com.