Fibre Channel (SAN)

Reply
Contributor
Posts: 39
Registered: ‎05-04-2009

Fabric-based encryption v.s. host- or appliance-based encryption?

Hi Experts,

First, thanks for having this type of event in Brocade Communities. See below my question...

Why should I implement fabric-based encryption instead of just using host- or appliance-based encryption?

OB

New Contributor
Posts: 3
Registered: ‎02-22-2010

Re: Fabric-based encryption v.s. host- or appliance-based encryption?

Hi OB,

Thanks for your feedback - much appreciated.

Let me break down your question into two parts: host-based and appliance-based encryption.

Host-based encryption is implemented using some type of software installed on the host. Any time you implement encryption using software, there will be a performance penalty - usually in the order of 30-50%. This may be acceptable to some degree for tape encryption but generally is more problematic when it impacts applications running on the disk arrays. The other downside with host-based is cost of scaling since you require a separate licence for each host - not so bad if you only have 2-3 hosts you need to encrypt but can become quite expensive with 100+ hosts.

Appliance-based encryption is not a bad solution since it uses hardware encryption and does not have the performance penalty a software-based implementation would have. However, encryption appliances available today are only running with 2 Gbps ports and they have limited encryption capacity - generally in the order of about 10 Gbps for tape (2 X 5 Gbps ports) and 4 Gbps for disk (2 X 2 Gbps ports). Encryption appliances are also designed to do wither disk OR tape encryption on any given unit. If you need to encrypt both disk and tape data in your environment then you would require separate appliances.

The Brocade fabric-based encryption solution is a hardware-based encryption solution using 8 Gbps ports (32 ports on the standalone switch and 16 ports on the blade version) with a maximum encryption capability of 96 Gbps for disk encryption and 48 Gbps (with compression) for tape encryption. Since it uses hardware-based encryption, it has virtually no performance impact on applications or the backup window. It is connected transparently into an existing fabric (or can act as a standalone fabric in itself) thanks to frame redirection technology and it can scale to as many hosts or storage devices on any fabric. You only need to buy more encryption switches if you exceed the encryption bandwidth capability of the switch and not because of the number of hosts or storage devices you are encrypting. Furthermore, you can encrypt either disk or tape data using the same Brocade encryption switch and as of FOS 6.4, due at the end of March, you will be able to do disk and tape encryption concurrently on the same unit.

To put things in perspective, if you need a total of 20 Gbps of bandwidth to encrypt your disk data, you would need 5 disk encryption appliances (2 X 2 Gbps ports) whereas you would only require one Brocade encryption switch and have plenty of bandwidth left for future requirements. At that rate, the Brocade encryption solution becomes much more cost-effective over time.

I hope this answers your question OB.

Roger

Contributor
Posts: 39
Registered: ‎05-04-2009

Re: Fabric-based encryption v.s. host- or appliance-based encryption?

Hi Roger,

Sure. Your response will be very helpful for me.

Thanks

OB

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook