Using TLS accelerator card

[nv1]

Hello all,

My proxmox servers has 10G optical link through a switch to the PBS, but it seems the maximum throughput I can achieve is much lower than that because of TLS encryption. Since it's transferred over a secure internal network, can we somehow disable the TLS encryption? If this is not possible, using a TLS accelerator card like Intel QuickAssist could be used to improve the encryption performance?

 

[dietmar]

No, that is not possible.

PBS does a lot of pre-processing on the client side:

- compression
- optional data encryption
- chunking
- checksum generation (SHA256)

Only speeding up TLS would not help at all.

 

[nv1]

Thank you.

Theoretically it might be possible to offload compression, encryption, and maybe checksum generation on the client to such card. 4th generation and newer Intel Xeon Scalable processors also have built-in QAT feature.
The pve kernel seems to contain the required modules to offload encryption, but might need additional software support, or recompiling some software components. Compression and some other features also require additional userspace tools.
I tried to search the forum, but the only mention I found was about enabling QAT support in ZFS, which also required the recompilation of the package. Ceph also supports QAT.

Is this works with the included kernel modules out of the box, and some tasks gets offloaded to QAT, or at least anybody tried it?