Data Encryption CMOD MP and DB2

[Steve Bechtolt]

We have implemented the Vormetric CoreGuard product (recommended by IBM) to encrypt the file systems where CMOD MP cache and DB2 database files reside.  We have seen a dramatic drop in performance while running arsmaint data retention (4-5 times longer to run).

Has anyone else implemented file system level encryption?
If so, did you see similar performance issues and how did you resolve them?
Are there DB2 parameters that can be tuned?

[CrucialRich]

Hi Steve, did you make any progress with resolving your performance issues with encryption?

[Alessandro Perucchi]

Hello

I have no idea how this Vormetric CoreGuard works exactly, never seen the product.

nevertheless, when you have encryption... then it means it is slow.
You will need CPU and good disks. The quicker your disks are (stripping/ssd/...), the drop of performance shouldn't be an issue, it will still be there.

Then it depends also on what kind of encryption you are using, the quality of the encryption (128bits, 4096bits, ...) all of that will have an impact on performance.
You can also check how much memory your application are using for caching... the more the application can cache its data before writing/reading the better.

Doesn't help with the initial 2008 question, but maybe that could help a bit...

Sincerely yours,
Alessandro

[Justin Derrick]

I've played with Vormetric once a very long time ago -- it basically encrypts all files at the I/O level.  So, you go to read a file, Vormetric intercepts that I/O call, and decrypts the data on the fly as it's read into memory.  Same thing happens in reverse -- perform a write, it's intercepted, encrypted, and the scrambled data is written to disk.  Of course, there's a performance penalty for this.

In the case of Steve's original item...  I suspect the performance hit would have been because of the massive number of I/O's that need to happen when doing cache management -- but I'd hope that may have been mitigated in a more recent version of the Vormetric product. 

Rich, I think the only way to get an acceptable answer to this question will be to get an evaluation version of Vormetric, and try it out for yourself.

-JD.

[ewirtz]

Hi Steve,
I don't have an experience with Vormetric. But I have experience with the developement of a PCI complient client server application to decrypt and encrypt card numbers. This application is very quickly: about 1000 transactions / second (Z/OS, AIX,  Windows environment). So I know it's possible to optimize encription logic.
Regarding CMOD I think the following would help. The logic structure (regarding CMOD) keeps unencrypted (p.e. printer control characters / CR  / LF). The data itself will be encrypted. If needed (part) of the indexes will be encrypted. Doing it like this arsmaint is not affected because it doesn't know that it works with encrypted data. But you need additional logic implemented in input, index and preview exits and the frontend. You can use the open ssl library or ICSF in Z/OS to implement such a logic.
This looks very complex. But with a good modular design this challenge can be met.

regards

Egon