SQL 2014 - Encrypted backup overhead

In SQL 2014 there is a new feature in database backups - an encrypted backup.

To encrypt backups you need to create a database master key for the MASTER database and either a certificate (as in example below) or an asymmetric key to use for the backup.

Here is a script to backup the IndexDemo database with an encryption.

USE master;
GO

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '1qaz!QAZ';
GO

IF EXISTS (select * from sys.certificates where name = 'TestBackupCert') DROP CERTIFICATE TestBackupCert;

CREATE CERTIFICATE TestBackupCert WITH SUBJECT = 'Backup Encryption Certificate';
GO

BACKUP DATABASE [IndexDemo] TO DISK = 'IndexDemoDB.bak'
WITH FORMAT, STATS=5
, ENCRYPTION (ALGORITHM = TRIPLE_DES_3KEY, SERVER CERTIFICATE = TestBackupCert);
-- AES_128, AES_192, AES_256, TRIPLE_DES_3KEY
GO

I was wondering how much overhead the encryption algorithms would add and decided to test it on my IndexDemo database which was hosted on a Azure VM (A3 - 4 Cores, 7 GB RAM) with SQL 2014 Enterprise Edition (RTM) and the database files were stored on a disk attached to the VM.

The DB size was 1.75 GB.

For each of the encryption algorithms I ran the backup statement 3 times and averaged the results (the smaller the better).

As you can see backup encryption adds 40-70% to the backup time when AES algorithms are used.

And it's clear that Triple DES is not only an outdated algorithm but also the slowest one.

Comments

Create 3-Node Windows 2012 Multi-subnet Cluster

Environment There are two Data centers connected via a WAN link. Two Windows 2012 Servers (called SQLDEV1 and SQLDEV2) are located in the Primary Data Center (on the IP subnet 192.168.79.0/24) and the third server is placed in the Secondary Data Center with the 192.168.69.0/24 subnet. We’ll be creating a three-node Windows cluster with no shared storage on the multi subnet network with a file share witness at the Primary Data Center. We’ll be using a file share witness to protect from the cluster failure in a situation when the network between the Data Centers is unavailable and one of the servers in the Primary Data Center is also down (or being rebooted). The final state will look like depicted above: - Two Virtual IP’s will be assigned (192.168.76.218 and 192.168.69.134) to the cluster - The servers at the Primary Data Center will have a vote (Vote=1) and the ...

Joining Windows 10 to Azure AD Domain

As of October 2016 to join Windows 10 computers to Azure AD Domain service requires these steps: Create a VNET in the classic portal . The VNET must be placed to a region where Azure AD domain service is available (( https://azure.microsoft.com/en-us/regions/services/ ) In the classic portal go to Directory -> Configure and enable the domain service. And wait for ~ 30 min When completed the IP address will be populated Go back to the VNET configuration and add a DNS server with the IP (10.0.0.4 in this case) Create the "AAD DC Administrator" administrators group (again in Directory -> Group). Members of this group are granted administrative privileges on machines that are domain-joined to the Azure AD Domain Services managed domain. Add to the group your users who are supposed to have the administrative access on a Windows 10 computer go to Settings -> Accounts (this is true for Windows 10 version 1607) then select 'Access...

SQL 2012 AlwaysOn: Synchronous vs. Asynchronous commit. Performance impact

Recently I've had a chance to build a 3-server AlwaysOn environment distributed between the primary and secondary data centers. The configuration looks like this: Primary Data Center Secondary Data Center SQLDEV1 SQLDEV3 SQLDEV2 The availability group was crated with synchronous commit replicas on SQLDEV1 and SQLDEV2 and the replica on SQLDEV3 was configured for asynchronous commit. The link between the data centers was not great and when I pinged SQLDEV3 from SQLDEV1 I got these results Approximate round trip times in milli-seconds: Minimum = 39ms, Maximum = 63ms, Average = 42ms I also created a very simp...

legi, intellexi

Search This Blog