I work in Intel’s Data Center Group, where I’m responsible for enabling the security technology ecosystem. I’m very excited to provide an update on the new data protection capabilities and the breakthrough data encryption performance found in the new Intel® Xeon® processor E5-2600 v3, which we launched last week. The E5-2600 v3 provides hardware acceleration for the full spectrum of data protection, whether it be establishing a secure connection, supporting more concurrent users, enhancing crypto keys, bulk data encryption, or authentication.
Cryptography is the foundation for data protection, with a crypto system being composed of two elements. First, crypto algorithms e.g. AES, RSA, SHA, etc. These crypto algorithms are usually compute intensive and incur overhead in software-based implementations. This performance penalty prohibits wide encryption adoption. We have built in AES-NI since the Intel Xeon X5600 to accelerate AES algorithm and remove performance overhead. The second element of every crypto system is crypto keys. The keys have to be truly random otherwise the crypto system can be compromised. A software-based random number generator (RNG) can’t generate true random numbers, so it’s insecure. The Intel® Xeon® processor E5-2600 v2 introduced a hardware-based RNG called Secure Key, which can generate highly unpredictable true random numbers to enhance security.
So what’s new with the Intel® Xeon® processor E5-2600 v3? We enhanced AES-NI — the latency of AES instructions has been reduced from eight cycles down to seven. Large integer support with the Intel® Advanced Vector extensions 2 (Intel® AVX) and new ISA extensions benefit crypto algorithms that require large integer operations such as RSA, ECC, etc. We also introduced more efficient bit rotation instructions (e.g. RORX), which benefit secure hash algorithms (SHA) for authentication. With the E5-2600 v3, we are not only accelerating bulk data encryption with AES-NI, but also accelerating other algorithms such as RSA for establishing secure connections and SHA for authentication. See this white paper for details.
So what does this mean to you? We have proved with previous platforms that if you used AES-NI enabled software, the encryption performance penalty is negligible. With the E5-2600 v3, in addition to implementing strong data security without slowing performance, you might find that your applications perform even better with encryption than without.
We have done a proof point with Vormetric and MongoDB to use Vormetric software to encrypt MongoDB. With fully enabled Vormetric software, performance with encryption exceeded performance without encryption from 34% to 378%. See figure below. This counter-intuitive result really debunks the law of physics. The large gains with encryption are due to E5-2600 v3 platform innovations such as enhanced AES-NI, AVX2, wide data-path, and multithreading capabilities along with Vormetric’s optimization of the Linux kernel and additional parallelism. For more information, I recommend this white paper and blog.
We are working with many ISVs to enable Intel Xeon E5 v3 data protection features; below are some additional examples where we have achieved data encryption performance:
- Cloudera: Up to 2.22x faster data encryption over previous generation
- HyTrust disk encryption: Almost no performance overhead
- Yonyou (PRC ERP ISV) cloud: Up to 1.42x faster data in motion encryption vs. previous generation
- Openstack haproxy: Up to 37 percent increase in manageable connection rate
The importance of data encryption is well understood. So if there is no performance overhead for encryption on Intel Xeon processors and you might even have more performance with encryption than without, why are you waiting to implement? If it’s only for the purpose of safe harbor, think about the consequences of having your data stolen.
Be brave and encrypt!