BUILD Need advice for encrypted NAS

[taalas]

Hi,

I am in the process of searching for a NAS solution for a small business. We currently use QNAP appliances, which have worked so far…there is need for a new device now though which needs to be encrypted and the QNAP solutions either don't have the right hardware to do that (no AES-NI, too slow) or are way too expensive for what they offer.

I started reading the FreeNAS forums and this seems to be the perfect solution for us. I am currently searching for some kind of minimal (although sufficient) hardware advice for a system with the following requirements: encrypted file systems, approx. 4x3TB disks, no other tasks except file storage (no transcoding etc.), can produce encrypted backups to another device (duplicity would be excellent)

I saw the Fracta Design Node 304 case, this seems to be very interesting for what we want to do…this would mean a mini-ITX board is needed.

From other threads it seemed that using an

ASRock E3C226D2I with an Intel i3 (for AES-NI)

or an

Avaton C2550

might be a good solution.

Are there other options that would be more suited to the task (also non ITX if better)? What performance impact can i expect for accessing encrypted shares via CIFS (the QNAPs drop by 50-70%, with AES-NI this should be much less, right?). What options do I have for encrypted backups using FreeNAS?

Any help would be greatly appreciated.

Many thanks

 

[HoneyBadger]

Glad to see you're considering FreeNAS for your small business. Bear in mind that if you have a need for an official support contract (and a neck to choke that isn't your own!) your desired configuration is pretty close to the iXsystems "FreeNAS Mini" server here:
http://www.ixsystems.com/storage/freenas/

But I can certainly applaud rolling your own, so let's get to the questions:

Are there other options that would be more suited to the task (also non ITX if better)?
Generally you pick ITX because the space constraints demand it. There are some awesome boards in that form factor but if there's nothing specifically driving you there, you can pick a microATX board and probably pay less.

What performance impact can i expect for accessing encrypted shares via CIFS (the QNAPs drop by 50-70%, with AES-NI this should be much less, right?).
There's a couple users here with an Avoton Atom C2550 or C2750 who are able to saturate a gigabit link from an encrypted RAIDZ volume. See the link:
http://forums.freenas.org/index.php?threads/atom-c2558-a1srm-2558f-freenas-compatibility.17462/

What options do I have for encrypted backups using FreeNAS?
You can do ZFS replication to another FreeNAS machine (also encrypted) - but if you're talking about spooling off to tape, you'll need to have your backup software (that handles the disk-to-tape portion) do encryption at that point, since ZFS's encryption is transparently applied and won't protect you once the data leaves.

On the hardware side, if you're going to use the Fractal Node 304, I'd suggest filling all six disk trays to begin with, and doing a 6-drive RAID-Z2 configuration. This will give you (assuming 3TB drives) approximately 12TB of usable backup space, with the ability to have any two drives fail without loss of backups.

 

[indy]

You do realize that Freenas only supports encryption on a whole-disk basis?

 

[taalas]

Thanks for your quick replies.

Yes, I do realize FreeNAS encryption is on a whole volume basis. I should have been a little clearer with my requirements perhaps. Sorry if my inital post generated some confusion...

What I am trying to achieve in terms of encryption is
- full encryption of the NAS in case of physical theft
- the ability to create encrypted backups of the unencrypted files (if I can run duplicity/duply on the FreeNAS distribution this would be excellent and solve this problem 100%)

That brings me to another question: How is the encryption key supplied to the FreeNAS at boot time? Manual unlocking of the volume at boot time?

@Honeybadger:
I hadn't seen the ixsystems NAS before, but you are right, this is close to what I had in mind. The number of drives is still open for us and largely depends on how complicated growing the array would be. I have to admit that I haven't read up on that enough though, yet. I will try to come up with a hardware list and will post it here. The C2550 looks like a great platform for what we have in mind from the links you provided. What is the general consensus in regards to mini servers like the new Gen8 HP ProLiant MicroServers? Would that be an alternative as well? I haven't looked at the specs yet.

 

[HoneyBadger]

Hi taalas,

If you encrypt a volume, you'll have to manually log into the FreeNAS web GUI and provide the key+passphrase to mount it after each boot.

For reading, I recommend browsing through the FreeNAS documentation available at http://doc.freenas.org/ to get started with a deeper understanding of things as well, and check out cyberjock's excellent powerpoint/PDF slideshow as well:
http://forums.freenas.org/index.php...ning-vdev-zpool-zil-and-l2arc-for-noobs.7775/

 

[taalas]

Hi,

after doing dome more reading I am quite convinced that using FreeNAS would be an excellent choice for us.

As per your suggestion I agree that it makes sense to start with a full RAIDZ2 vdev, I would also switch to a larger case (since small form factor isn't really necessary). The encrypted backups should be easy to achieve with duplicity from a jail (other forum posts suggest that this is already done by some users).

Here is the current hardware list for the encrypted NAS (using hardware AES-NI):

Mainboard:
Supermicro A1SAM-2550F retail (MBD-A1SAM-2550F-O)
Case:
Fractal Design Define R4 Black Pearl (FD-CA-DEF-R4-BL)
Memory:
2 x Kingston ValueRAM DIMM 8GB, DDR3-1600, CL11, ECC (KVR16E11/8)
Power Supply:
Sea Sonic Platinum Series Fanless 400W ATX 2.3 (SS-400FL2)
System:
SanDisk Cruzer Fit 8GB, USB 2.0 (SDCZ33-008G-B35)
Disks:
6 x Western Digital WD Red 3TB, 3.5", SATA 6Gb/s (WD30EFRX)

Would this be a good choice for what is planned? Would it be better to go for the faster Avoton or an i3 instead?

I am also searching for a small UPS, recommendations for this would be very welcome as well.

Many thanks

 

[HoneyBadger]

I would suggest you get a conventional (with a fan) PSU - while you're not running anything particularly hot or power-hungry in that machine, fanless components are really about prioritizing silence among all else. In this case the additional small amount of airflow would be preferable most likely.

Speed-wise, the C2550 Avoton should be fine if you are just connected via single or even dual GbE.

Personally I use APC UPSes in my home setup, but others may have different suggestions or experiences.

 

[joeschmuck]

As for the UPS, the term you used was "small", since you are looking at an encrypted solution and it's for a business, I would buy something with at least 1500VA, larger is better so it can run for a longer period of time without shutting down for minor power outages. Like HoneyBadger, I prefer APC, they have never given me an issue.

 

[taalas]

Hi,

again, very good points, thank you. I replaced the power supply with a 450W Gold fan version. I also added an APC UPS...have used these before myself and was very happy with it, so your recommendations reassured me to pick one again.

This would result in the following parts:

Mainboard:
Supermicro A1SAM-2550F retail (MBD-A1SAM-2550F-O)
Case:
Fractal Design Define R4 Black Pearl (FD-CA-DEF-R4-BL)
Memory:
2 x Kingston ValueRAM DIMM 8GB, DDR3-1600, CL11, ECC (KVR16E11/8)
Power Supply:
Sea Sonic G-Series G-450 450W ATX 2.3 (SSR-450RM)
System:
SanDisk Cruzer Fit 8GB, USB 2.0 (SDCZ33-008G-B35)
Disks:
6 x Western Digital WD Red 3TB, 3.5", SATA 6Gb/s (WD30EFRX)
UPS:
APC Back-UPS Pro 1500VA Schuko, USB (BR1500G-GR)

Am I good to go?

 

[indy]

I would suggest you get a conventional (with a fan) PSU - while you're not running anything particularly hot or power-hungry in that machine, fanless components are really about prioritizing silence among all else. In this case the additional small amount of airflow would be preferable most likely.

I would suggest the opposite ;)
The Seasonic Fanless Series is great fit for a Nas because of its efficiency, modularity, electrical properties and quality components.
Heat is also not really a concern as long as its mounted on the bottom and there should be some airflow from the hard disk fans anyway.
The only compromise imo is the high price.

 

[cyberjock]

I'm with HoneyBadger. Generally when you buy fanless you are simply buying a PSU that has components that have higher temperature ranges. It says nothing for efficiency, electrical properties, or quality of components. In fact, if my experience has been any indication, capacitors and other components that are rated for a higher temp generally work fine, but they have a much shorter lifespan than standard components that include adequare airflow.

So when HoneyBadger says "fanless components are really about prioritizing silence among all else" I have to agree.

 

[indy]

Some other thoughts:
- The Define Mini would be adequate as well if you prefer a smaller case
- The Atom Cpu might limit you at some point, I would go for an i3 (which could again be upgraded later)
- Did you take a look at the Smart Series from APC? Afaik they have a sine-wave output which should place less stress on subsequent components during extended power-outages.

 

[indy]

Obviously I am not saying fanless equals quality.
I am saying that the psu has gotten very positive reviews regarding its quality of components and quality of power output.

 

[TheSmoker]

Obviously I am not saying fanless equals quality.
I am saying that the psu has gotten very positive reviews regarding its quality of components and quality of power output.

I'm with indy here. Having 2 of them without problems for more than 2 years.

 

[taalas]

The Define Mini looks like a good alternative, I might switch to that.

If I were to go for an i3 + mainboard combo, are there any you can recommend?

 

[indy]

No, but select one yourself and I am sure someone will comment on it :)

 

[Shroom]

The Define Mini looks like a good alternative, I might switch to that.

If I were to go for an i3 + mainboard combo, are there any you can recommend?

If you're sticking to mini-ITX, the Asrock E3C226D2l looks like the best option there is (that I've heard talk of, anyway). The only limit is the 2 DIMMs, which is the main reason I'm considering the SuperMicro octo-core Atom instead. But people have successfully booted FreeNAS with that board as long as USB 3 is disabled.

 

[taalas]

Ok, in order to be able to upgrade later I tried to come up with another build that uses an i3 for now which can be upgraded to a Xeon if needed. Will the dual core i3 be a better/equal performer than the quad core avoton? Also I used the Kingston tool to choose the right memory (I hope? What's the difference between the Server Premier and "normal"? They seem to cost the same)...it seems that this only come in 4GB, so I would pick 4. Mini-ITX isn't neccessary any more since the Define Mini seems great and supports uATX.

Mainboard:
Supermicro X10SLH-F retail (MBD-X10SLH-F-O)
CPU:
Intel Core i3-4130, 2x 3.40GHz, boxed (BX80646I34130)
Case:
Fractal Design Define Mini (FD-CA-DEF-MINI-BL)
Memory:
4 x Kingston ValueRAM Server Premier DIMM 4GB, DDR3-1600, CL11, ECC (KVR16E11S8/4KF)
Power Supply:
Sea Sonic G-Series G-450 450W ATX 2.3 (SSR-450RM)
System:
SanDisk Cruzer Fit 8GB, USB 2.0 (SDCZ33-008G-B35)
Disks:
6 x Western Digital WD Red 3TB, 3.5", SATA 6Gb/s (WD30EFRX)
UPS:
APC Back-UPS Pro 1500VA Schuko, USB (BR1500G-GR)

I will most likely order tomorrow. Any last second changes I should consider?

Thanks for your help!

 

[Shroom]

Ok, in order to be able to upgrade later I tried to come up with another build that uses an i3 for now which can be upgraded to a Xeon if needed. Will the dual core i3 be a better/equal performer than the quad core avoton? Also I used the Kingston tool to choose the right memory (I hope? What's the difference between the Server Premier and "normal"? They seem to cost the same)...it seems that this only come in 4GB, so I would pick 4. Mini-ITX isn't neccessary any more since the Define Mini seems great and supports uATX.

Mainboard:
Supermicro X10SLH-F retail (MBD-X10SLH-F-O)
CPU:
Intel Core i3-4130, 2x 3.40GHz, boxed (BX80646I34130)
Case:
Fractal Design Define Mini (FD-CA-DEF-MINI-BL)
Memory:
4 x Kingston ValueRAM Server Premier DIMM 4GB, DDR3-1600, CL11, ECC (KVR16E11S8/4KF)
Power Supply:
Sea Sonic G-Series G-450 450W ATX 2.3 (SSR-450RM)
System:
SanDisk Cruzer Fit 8GB, USB 2.0 (SDCZ33-008G-B35)
Disks:
6 x Western Digital WD Red 3TB, 3.5", SATA 6Gb/s (WD30EFRX)
UPS:
APC Back-UPS Pro 1500VA Schuko, USB (BR1500G-GR)

I will most likely order tomorrow. Any last second changes I should consider?

Thanks for your help!

If you're even considering Avoton/Rangeley, I would say without a doubt you should go for the octo-core. It's only something like $30-40 more and you get twice the cores.

So to compare an i3 to a Rangeley, you will definitely see better single-threaded performance out of the i3, and the best bit is that it leaves you room to upgrade to a Xeon later if you so choose, which is definitely the most redeeming quality of a Haswell/1150 build.

However, based on what I've been reading lately on the Rangeley chips, they seem to be pretty optimal in a FreeNAS environment, and people report transfer speeds easily saturating GbE, possibly even 2 x GbE.

If you're going uATX then you have a lot more choices available to you. I personally find the Rangeley boards very appealing due to the mini-ITX form factor which leaves open possibilities like using the U-NAS NSC-600/800 cases or the Lian Li PC-Q25, both of which are very attractive ITX setups. The problem with ITX setups is that you're usually left with not enough DIMMs for memory, which is why I've been eyeing the SuperMicro Rangeley board lately as it has 4 SODIMM slots (and a max of 64GB).

So to answer your question, the i3 will, in certain situations, outperform the Rangeley octo-core. However, the Rangeley chip will excel in low-power situations and the 8 processing cores will definitely give it some kick that the i3 won't have. But they both support ECC and encryption and +32GB of memory so either choice will suffice, and the i3 leaves you much more room to upgrade. Rangeley is more for a low-profile, small thermal-profile SOHO system, not a full blown server (unless you're running a bunch of them together and virtualizing or something, that would be interesting).

Also, I highly recommend buying 8GB DIMMs rather than 4GB. Anyone here would tell you there's no reason to buy 4GB DIMMs anymore, it just limits you. Just find a good 8GB Kingston stick that supports ECC and is unbuffered (and 1600 rather than 1333 is preferred but not necessary) and grab two, leaving you room to add 2 more later. You'll want the upgrade option, ZFS simply gobbles memory.

Lastly I would suggest a Corsair RM 450 over the SeaSonic but that's just personal preference. For the extra $15 you get fully modular cables, Corsair's excellent 5-year warranty and unmatched support, and a very silent PSU with a quality fan that has a zero-RPM mode.

 

[taalas]

I totally agree that it would make more sense to buy 2 8GB modules, I got a little worried though when I read this thread http://forums.freenas.org/index.php?threads/kingston-4-x-8gb-ram-problem.18449/
Also Kingston only lists the 4GB modules in their compatibility chart. If I understand the problem correctly it will only affect me once I use more than 2 8GB sticks...which could happen in the future.

So I could either:
- try to find the Samsung modules from Supermicro's compatilibity list
- find some other 8GB Hynix A DRAM modules to put in the first 2 slots
- use 2 x 8GB Kingston modules and limit the device to 16GB ram
- use another motherboard

What do you think would be best/most stable?