Question
Norman W. Freeman · Oct 5

Could caché database encryption have an noticeable impact on performance ?

I would like to know if an encrypted caché database can run significantly slower than a normal "unencrypted" database, in a way that is noticeable to the end user (e.g. slower response time for most pages, especially the ones that rely on read/writing to globals).

I searched in Intersystems knowledge base and couldn't find anything related. I'm looking for possible before/after benchmarks.

Product version: Caché 2018.1
00
1 0 3 115
Log in or sign up to continue

Intersystems has worked hard but encryption is not free. Do you have something like batch processing? You would notice an impact more there then on a 1 second query. I would worry more about key security and recovery. Encryption also has a serious impact on the ability of modern SAN storage to dedup and compress which could result in higher than expected storage costs.

When data in the global buffer pool is written back to the database ach block is encrypted and stored. When data is retrieved it is decrypted as it is pulled into the Global Buffer Pool. When data is pulled from the Global buffer pool into your process it remains unencrypted. So there is an implicit cost in encrypting and decrypting the data blocks but this only happens in that single place of retrieval and storing. I can't remember what the cost is relative to not using encryption but it is documented. The same applies to data moving between IRIS and a web page and any tcp based communications

Those experienced with encryption systems for databases may have concerns about encryption having dire effects on performance, but, with Caché, these concerns are unfounded. Encryption and decryption have been optimized, and their effects are both deterministic and small for any Caché platform; in fact, there is no added time at all for writing to the database.

Managed Key Encryption: Protecting Data on Disk

InterSystems recommends using its encryption management tools:

  • When built-in hardware instructions are available for encryption-related activities, these activities are considerably faster then when using software-based encryption. The encryption management tools use hardware instructions when they are available.
  • The encryption management tools can use keys stored on a KMIP server.
  • The encryption management tools can run in FIPS mode.

About Encryption Management Operations

High-Performance Encryption for Databases in Financial Services (PDF)