Percona Server for MySQL 8.0 comes with enterprise grade total data encryption features. However, there is always the question of how much overhead – or performance penalty – comes with the data decryption. As we saw in my networking performance post, SSL under high concurrency might be problematic. Is this the case for data decryption?
To measure any overhead, I will start with a simplified read-only workload, where data gets decrypted during read IO.
During query execution, the data in memory is already decrypted so there is no additional processing time. The decryption happens only for blocks that require a read from storage.
For the benchmark I will use the following workload:
sysbench oltp_read_only --mysql-ssl=off --tables=20 --table-size=10000000 --threads=$i --time=300 --report-interval=1 --rand-type=uniform run
The datasize for this workload is about 50GB, so I will use innodb_buffer_pool_size = 5GB to emulate a heavy disk read IO during the benchmark. In the second run, I will use innodb_buffer_pool_size = 60GB so all data is kept in memory and there are NO disk read IO operations.
I will only use table-level encryption at this time (ie: no encryption for binary log, system tablespace, redo- and undo- logs).
The server I am using has AES hardware CPU acceleration. Read more at https://en.wikipedia.org/wiki/AES_instruction_set
Benchmark N1, heavy read IO
|Threads||encrypted storage||no encryption||encryption overhead|
Benchmark N2, data in memory, no read IO
For a high number of threads, there is no measurable difference between encrypted and unencrypted storage. This is because a lot of CPU resources are spent in contention and waits, so the relative time spend in decryption is negligible.
However, we can see some performance penalty for a low number of threads: up to 9% penalty for hardware decryption. When data fully fits into memory, there is no measurable difference between encrypted and unencrypted storage.
So if you have hardware support then you should see little impact when using storage encryption with MySQL. The easiest way to check if you have support for this is to look at CPU flags and search for ‘aes’ string:
> lscpu | grep aes Flags: ... tsc_deadline_timer aes xsave avx f16c ...