Secure HPC: A workflow providing a secure partition on an HPC system

Abstract

Driven by the progress of data and compute-intensive methods in various scientific domains, there is an increasing demand from researchers working with highly sensitive data to have access to the necessary computational resources to be able to adapt those methods in their respective fields. To satisfy the computing needs of those researchers cost-effectively, it is an open quest to integrate reliable security measures on existing High Performance Computing (HPC) clusters. The fundamental problem with securely working with sensitive data is, that HPC systems are shared systems that are typically trimmed for the highest performance—not for high security. For instance, there are commonly no additional virtualization techniques employed, thus, users typically have access to the host operating system. Since new vulnerabilities are being continuously discovered, solely relying on the traditional Unix permissions is not secure enough. In this paper, we discuss Secure HPC, a workflow allowing users to transfer, store and analyze data with the highest privacy requirements. Our contributions are the design of a multi-node secure workflow with parallel I/O, a strict security model enforced by the system and network features, and lastly the demonstration of a medical use case. In our experiments, we see an advantage in the asynchronous execution of IO requests in dm_crypt, while reaching 80% of the ideal performance. When comparing eCryptFS with GoCryptFS as two representative filesystem-level encryption stacks, eCryptFS was twice as fast. In a real use case, we observed on average 97% of the native performance.