Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

QoS Best Practices

Select and Set Rekey I/O Rate

search

Please Note:

printsuggest an editpdf paneldownload

Select and Set Rekey I/O Rate

You can choose to set the Rekey I/O Rate to control I/O operations from LDT to minimize LDT impact to your production workload. It's assumed that you already know the maximum IOPS on your host system during your production workload. With this information, you can choose a threshold for Rekey I/O Rate and enforce the selected threshold during CipherTrust Transparent Encryption - Live Data Transformation. The work flow is as follows:

  1. Set Rekey I/O Rate threshold using voradmin or in the CipherTrust Manager Console.

  2. QoS retrieves the threshold and starts monitoring and controlling LDT according to the specified threshold and the tolerance factor corresponding to the threshold.

  3. The selected threshold will be in effect within 2 to 4 minutes after entering the threshold.

When Rekey I/O Rate and CPU or IOWAIT thresholds are set, QoS will monitor and control the LDT processing rate based on the Rekey I/O Rate threshold. The CPU threshold will be ignored.

copy link to clipboardSet Rekey I/O Rate Threshold

  1. Set Rekey I/O Rate threshold by using voradmin:

    voradmin ldt ior 10

    You can also set the Rekey I/O Rate for one or more managed hosts using the Quality of Service section in a client profiles. For more information about using this method, see How to Set QoS.

    In the voradmin example above, QoS enforces the threshold of 10MB/sec with the tolerance of +/- 3MB/second. Effectively, LDT attempts to rekey the amount of data in the range of 7MBs/second to 13MB/second.

    On Linux and Windows, you can use voradmin ldt ior to report the current threshold setting without specifying a value for threshold:

    voradmin ldt ior
QoS Rekey I/O rate threshold: 10 MB/sec
QoS Rekey I/O tolerance: 3 MB/sec

  2. Be sure the threshold you enter is appropriate for your production workload. To verify this:

    1. Observe the Rekey I/O Rate for a few minutes using voradmin.

      On Linux, you can do this using:

      voradmin ldt stats
Host level statistics:
File stats: rekeyed=202390, passed=0, created=0, removed=0
Data stats: rekeyed=6.2GB, truncated=0.0MB
QoS: IOR threshold=10MB/sec, tolerance=3MB/sec
current_rekey_rate=2MB/sec, current_iow=0ms
load_factor=50, delay_factor=0, delay_scan=0

      On Windows, you can do this using:

      voradmin ldt monitor
Host Stats:
Total number of Guard Points   = 1
Rekey Status                   = Rekey done (Finished rekey on 1 out of 1 GP's)
Total files to be transformed  = 0
Total files transformed        = 0
Total files in progress        = 0
Total transformation threads   = 0

Current rekey rate             = 0 KB/s
Rekey IO rate threshold        = 1000 MB/s
Rekey IO rate tolerance        = 4 MB/s

    2. Set an appropriate threshold. Do not set the threshold value too high, as QoS might not be able to achieve it because of other resource bottlenecks.

  3. Check the QoS controlling rekey rate.

    QoS will monitor and control LDT utilization using the specified threshold. The following figure shows an example of how QoS monitors and controls LDT utilization. In this example, the threshold is 30 MB/sec. Throughput of LDT was nearly 130 MB/sec. QoS brings it down to within the range of 30 MB/second.

  4. Disable QoS.

    QoS will not monitor and control resources when all the thresholds, CPU, Rekey I/O rate, and IOWAIT are set to 0. When Rekey I/O Rate and IOWAIT are not explicitly set, it is considered to be set to 90 MB/second.

    QoS continues to apply its schedules for suspending LDT operations at certain days and times regardless of what values are set for CPU, Rekey I/O Rate, and IOWAIT thresholds.

copy link to clipboardSummary of QoS Resources

The following table summarizes the available thresholds and the actions of QoS module to enforce the set thresholds:

Scenario QoS Action
Only Rekey I/O Rate threshold is set Monitor and control the LDT processing rate based on Rekey I/O Rate
Rekey I/O Rate and CPU threshold are set Monitor and control the LDT processing rate based on Rekey I/O Rate. CPU threshold is ignored.

On this page