Data Domain: Calculating how long encryption at rest takes to apply
Summary: For when a customer wants to know how long cleaning will take to complete encrypting all pre-existing data on the DD.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
In few scenarios, customers would like to know the time required to encrypt data present in their system. They are:
encrypt/re-encrypt data will depend on GC cycle speed. We do not have any tool as of now to calculate this information. But this can be calculated by Using following information available in autosupport.
This calculation is an estimate only and it may vary based on the customer environment like age of disks, the locality of containers etc.
Step 1: Get Space used in the system. This will be post compression bytes in the system. Look for the below information from autosupport.
Step 2: Get GC copy phase speed. This will be the number of containers per second during copy forward. Look for the below information.
Step 3: In the above example, the used space is 668 TB and copy forward speed is 516 containers per second.
The number of containers copy forwarded per second is 516*4.5 = 2322 MB/sec.
Step 1: In the case if encryption is already enabled in the system and the customer needs to re-encrypt data associated with a particular key, then look for the following autosupport information and find out which key data they need to re-encrypt. All keys will have information about data associated with the key in "Size post-comp" column. Look for below information "Filesystem Encryption Keys Show" in autosupport. Considering example below and customer is trying to destroy key Id 2 which has 668 TB of data which needs to be re-encrypted.
Step 3:
- At the time of enabling encryption for the first time, customers may want to encrypt previously unencrypted data. That time they need to know time required to encrypt all their existing data.
- If encryption is already enabled in the system and customer marked a key for destroy or compromise then they need to re-encrypt data which is associated with that compromised/destroyed key. During that time, they need to know time required to re-encrypt data which is associated with a key.
encrypt/re-encrypt data will depend on GC cycle speed. We do not have any tool as of now to calculate this information. But this can be calculated by Using following information available in autosupport.
This calculation is an estimate only and it may vary based on the customer environment like age of disks, the locality of containers etc.
GC time calculation when enabling encryption for the first time
Collect the following information from autosupport.Step 1: Get Space used in the system. This will be post compression bytes in the system. Look for the below information from autosupport.
Step 2: Get GC copy phase speed. This will be the number of containers per second during copy forward. Look for the below information.
Step 3: In the above example, the used space is 668 TB and copy forward speed is 516 containers per second.
The number of containers copy forwarded per second is 516*4.5 = 2322 MB/sec.
- In a day it will be 2322 * 24* 3600 = 200,620,800 MB of data will be copy forwarded. To get this value in GB divide it by 1024 and to get this value in TB divide it by 1024 again.
- In this example above, GC can clean around 191 TB (200,620,800 / (1024 * 1024)) in a day.
- If encryption was not enabled in the past, then additional overhead with time is just the time taken to encrypt the data. Generally when encryption is enabled performance hit will be anywhere between 5 - 20%. Considering worst case of 20% hit here, we can say that GC will encrypt around 152 TB (80% of 191 TB) in a day in this example.
- So to encrypt 668 TB it requires around 4 - 5 days. But we add another 20% as a buffer and we can say that GC will need around 5 - 6 days to encrypt 668 TB of data.
GC time calculation to re-encrypt data where encryption is already enabled.
Collect the following information from autosuppot.Step 1: In the case if encryption is already enabled in the system and the customer needs to re-encrypt data associated with a particular key, then look for the following autosupport information and find out which key data they need to re-encrypt. All keys will have information about data associated with the key in "Size post-comp" column. Look for below information "Filesystem Encryption Keys Show" in autosupport. Considering example below and customer is trying to destroy key Id 2 which has 668 TB of data which needs to be re-encrypted.
Filesystem Encryption Keys Show ------------------------------- Active Tier: Key Key State Size Id MUID post-comp --- ---- ------------ ---------- 1 7b3 Deactivated 17.74 TiB 2 cf3 Deactivated 668.83 TiB <============= Customer needs to destroy this key 3 c31 Deactivated 76.50 TiB 4 ee3 Activated-RW 0 --- ---- ------------ ----------Step 2: Get GC copy phase speed. This will be the number of containers per second during copy forward. Look for the below information.
Step 3:
- The number of containers copy forwarded per second is 516*4.5 = 2322 MB/sec. In a day it will be 2322 * 24* 3600 = 200,620,800 MB of data will be copy forwarded. To get this value in GB divide it by 1024 and to get this value in TB divide it by 1024 again.
- In this example above, GC can clean around 191 TB (200,620,800 / (1024 * 1024)) in a day.
- If encryption is already enabled, then cleaning will need to do first decryption and then encryption. So performance hit will be around 40 - 50%. So
- We can say that GC can re-encrypt around 95TB (50% of 191 TB) in a day considering above example.
- So to re-encrypt 668TB we need 7 - 8 days in this case. But we add another 20% buffer and say around 9 - 10 days to re-encrypt 668TB of data
Affected Products
Data DomainArticle Properties
Article Number: 000222238
Article Type: How To
Last Modified: 20 Feb 2024
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.