How heavy is the PXC Encryption on the CPU?
Can I safely keep it off to save CPU if all my nodes are on LAN IPs (10.0.0.x) and only proxysql is exposed on a public IP?
Hello @xirtam
Are you referring to PXC SSL/TLS encryption between nodes? Or are you talking about table-level encryption? Or are you talking about application SSL/TLS connections?
In all cases, SSL/TLS encryption has extremely little overhead on the CPU since the encryption functions are part of most modern CPU instruction sets.
I’m talking about this step Encrypt PXC traffic - Percona XtraDB Cluster and the difference between pxc-encrypt-cluster-traffic OFF and ON
As little as it can be it still causes some overhead\latency right?
Does it make any sense enabling it in a LAN context? If anyone has access to the node servers where LAN is configured, he already has access to the data folder anyway.
So I’m wondering if I can just keep it off when using local ips for the nodes.
You won’t notice it. Unless you’re doing 20,000 queries per second, then maybe you might see 5% overhead in CPU.
Not necessarily, as the mysql data dir should be owned by mysql and not accessible by any other user than root. If you use encrypted tables, then even someone with root cannot read the data files.
there is no other user than root on those boxes. I mean real users. ofc MySQL has its own user for permissions.
the pxc-encrypt-cluster-traffic options which level of encryption enables? I see the name is a little misleading because it doesn’t act only on traffic?
pxc-encrypt-cluster-traffic only encrypts cluster traffic: the traffic going between nodes as part of the galera/paxos communications, and SST/IST. It does not affect client SSL, which is a separate config.