Choosing software for disk encryption in Windows 2003/2008
Everything written below is only a note about our own experiments and does not pretend to complete the disclosure of the question and is posted here only for the purpose of helping someone who has a similar problem, because On the Internet, there are very few results of practical software testing for encrypting drives on a server
I got the task to encrypt the data on the file server and, at the same time, not to lose much speed and keep all the OS functionality (in particular, Windows Shadow Copies):
OS: Windows 2003 / Windows 2008
Found the following products (either free or not very expensive):
- Jetico BestCrypt Volume Encryption (http://www.jetico.com/bcve.htm) - $ 200
- TrueCrypt 5.1 (http://www.truecrypt.org/) - OpenSource
- Windows 2008 BitLocker (http://www.securitylab.ru/contest/300318.php) - $ 1100 (per OS)
- Ultimaco SafeGuard PrivateDisk (http://americas.utimaco.com/safeguard_privatedisk/)*
- GoSecure Secure Disk (http://gosecure.ru/products.html)*
- PGP Whole Disk Encryption (http://www.pgp.com/products/wholediskencryption/index.html)*
- Aladdin Secret Disk Server NG (http://www.aladdin.ru/catalog/secret_disk/sdsng/)
- SecureIT ZServer (http://www.securit.ru/products/info/zserver/purpose/)
')
* do not work under Windows 2003/2008
The “correct” solutions Secret Disk Server NG and ZServer cost a very heavy amount of $ 4,500-7,000 and contain unnecessary functionality, in this case (red buttons, remote mount, etc.), so they were not considered as real candidates.
Test hardware: 2xIntel Xeon 2.8Ghz, 4GB RAM, 6x1TB Seagate ES2 Raid-10
The maximum read speed from an encrypted disk, the number of I / O operations, the average access time and processor load were tested (25% of the load — one virtual processor is fully loaded)
Parameters IOMeter: 256 Outstanding I / Os, 1 Worker, 64K; 100% Read; 0% random
| BY | Algorithm | Read speed (Mb / s) | Number of operations (IO / s) | Average operation time (s) | Processor Load (%) | % of maximum | Comment |
|---|---|---|---|---|---|---|---|
| No encryption | not | 365 | 5825 | 43 | 3 | 100 | ideal |
| BestCrypt | AES256 + LRW | 44 | 668 | 400 | thirty | 12 | the whole system slows down, the mouse is twitching |
| Truecrypt | AES256 + XTS | 64 | 1041 | 245 | thirty | 17 | the brakes are almost invisible, but shadow copies do not work, the mounted disk is not visible in Disk Management |
| Bitlocker | AES256 + CBC | 115 | 1800 | 147 | 99 | 31 | brakes, but the mouse is not twitching |
| Bitlocker | AES128 + CBC | 140 | 2200 | 117 | 99 | 38 | brakes, but the mouse is not twitching |
| Bitlocker | AES256 | 145 | 2350 | 110 | 99 | 40 | brakes, but the mouse is not twitching |
| Bitlocker | AES128 | 200 | 3200 | 81 | 99 | 55 | brakes, but the mouse is not twitching |
BitLocker also drove with the following IOMeter profile: 256 Outstanding I / Os, 1 Worker, 64K; 75% Read; 50% random , the result is 55 MB / s, ~ 800 I / Os , which corresponded to the disk performance without encryption, i.e. it was all about the disk subsystem, the processor load was 15-20% .
As a result, I stopped at BitLocker due to the fact that this is a native OS module that effectively uses multiprocessing.
Source: https://habr.com/ru/post/23978/
All Articles