Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7167

Very slow restore times when using AES/GCM to encrypt backups

    Details

    • Type: Bug
    • Status: Dev backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: backends, security, tools
    • Labels:

      Description

      The new backup procedure encrypts all database files. When using AES/GCM restore can take a long time, as GCM needs to compute the authentication tag before returning the result of decryption, as specified by section 7.2 of specification NIST 800-38D.

      Details:

      The backend is not overly large:

      bkup> ll m1/opendj/db/dsEvaluation/
      total 295120
      drwx------  7 opendj  staff        224 Apr 30 12:02 ./
      drwxr-xr-x  7 opendj  staff        224 Apr 30 11:46 ../
      -rw-r--r--  1 opendj  staff  139719890 Apr 30 12:02 00000000.jdb
      -rw-r--r--  1 opendj  staff       7659 Apr 30 12:02 je.config.csv
      -rw-r--r--  1 opendj  staff      23392 Apr 30 12:02 je.info.0
      -rw-r--r--  1 opendj  staff          0 Apr 30 12:02 je.lck
      -rw-r--r--  1 opendj  staff       6380 Apr 30 12:02 je.stat.csv 

      the backup is reasonably sized too:

      store> ll
      -rw-r--r--  1 opendj  staff  57280705 Apr 30 11:51 00000000.jdb_dj1_dsEvaluation_139718672.gz
      -rw-r--r--  1 opendj  staff      2728 Apr 30 11:51 00000000.jdb_dj1_dsEvaluation_139718672.info
      -rw-r--r--  1 opendj  staff      1535 Apr 30 11:51 dsEvaluation_20200430095126113.idx 

      On the other hand, restore takes 9 minutes:

      bkup> m1/opendj/bin/dsbackup restore --offline -d store -n dsEvaluation
      [30/04/2020:11:52:36 +0200] category=TOOLS seq=0 severity=INFO msg=Starting restore for backend 'dsEvaluation' with backup ID 'dsEvaluation_20200430095126113'
      [30/04/2020:12:01:30 +0200] category=org.opends.server.backup.BackupManager seq=1 severity=INFO msg=Restored file: '00000000.jdb'
      [30/04/2020:12:01:30 +0200] category=TOOLS seq=2 severity=INFO msg=Restore completed for backend 'dsEvaluation' with backup ID 'dsEvaluation_20200430095126113' 

       

      For comparison, the same backup (+/- small changes in db after restart of server) when using the default AES/CBC takes a couple of seconds...

      bkup> m1/opendj/bin/dsbackup restore --offline -d store -n dsEvaluation
      [30/04/2020:11:50:21 +0200] category=TOOLS seq=0 severity=INFO msg=Starting restore for backend 'dsEvaluation' with backup ID 'dsEvaluation_20200430094814342'
      [30/04/2020:11:50:23 +0200] category=org.opends.server.backup.BackupManager seq=1 severity=INFO msg=Restored file: '00000000.jdb'
      [30/04/2020:11:50:23 +0200] category=TOOLS seq=2 severity=INFO msg=Restore completed for backend 'dsEvaluation' with backup ID 'dsEvaluation_20200430094814342' 

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              fabiop Fabio Pistolesi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: