Please Note:

AWS XKS Performance Summary

We have tested different environments to capture performance metrics for the CipherTrust Cloud Key Manager (CCKM) AWS External Key Service integration. The performance results provided within this document demonstrate the effects of deployment choices on throughput for AWS HYOK key encrypt operations for one key within one key store. This can help you plan your CipherTrust Manager deployment to meet your performance needs for AWS XKS integration. There is an AWS requirement that encrypt and decrypt requests must be completed within 250 ms. Thus, the results are presented to show the throughput possible before meeting that threshold.

All environments used an open source k6.io tool (https://k6.io/) as the REST client to simulate encrypt requests from AWS KMS. The client ran on a virtual machine with 80 GB system volume, 16 CPUs, and 32 GB of memory. For the deployments using LUNA HSM as a key source, the HSM model of Luna K7 was employed.

Actual performance numbers in your environment may be different. The results can vary based on factors, such as how and where the CipherTrust Manager is deployed, CipherTrust Manager resources, the location of cloud KMS, the key source of your choice, the network connectivity between the CipherTrust Manager, AWS Cloud and your key source, as well as how the traffic is load balanced.

Tested Environments

The following deployments were tested:

Luna Network HSM as a key source on premises:
- Single node of CipherTrust Manager on premises, K6 client on premises, Single node of HSM
- Single node of CipherTrust Manager on premises, K6 client on premises, Two nodes of HSM in HA mode
- Single node of CipherTrust Manager on premises, K6 client on premises, HSM in Export mode and Clone mode
CipherTrust Manager as a key source:
- Single node CipherTrust Manager on premises, K6 client on premises
- Single node of CipherTrust Manager on AWS, K6 client on AWS
- Two clustered CipherTrust Manager nodes on AWS, K6 client on AWS

CipherTrust Managers were deployed as geographically close to the K6 client as possible to avoid potential network latencies, which can occur when crossing geographic regions. In your CCKM deployment, we similarly recommend deploying the virtual CipherTrust Manager instance geographically close to one of the AWS KMS regions where you intend to set up the AWS XKS. We recommend a network latency of round-trip communication of 35 ms or less between AWS KMS and the CipherTrust Manager. Also, if you are using Luna Network HSM as your key source for AWS HYOK, ensure the CipherTrust Manager and the HSM are geographically close and has the lowest possible latency. We recommend a network latency of round-trip communication of 25 ms or less between the CipherTrust Manager and the HSM.

The following graph shows that by increasing the latency between the CipherTrust Manager and the HSM, the performance degrades.

Network Requirements

The following ports were opened to ensure CipherTrust Manager communication:

Used to communicate with CipherTrust Manager:

Type	Protocol	Port Number
SSH	TCP	22
HTTPS	TCP	443
postgresql (for cluster)	TCP	5432

Used for Connection to LUNA HSM:

Type	Protocol	Port Number
Secure Trusted Channel (STC)	TCP	5656
network trust link service (NTLS)	TCP	1792

Test Process

The test consisted of starting a given number of virtual users to perform encrypt operations on the AWS XKS/HYOK key. Each user simulated a separate thread. Total test duration was 40 seconds for each reading. The test was divided into the following increments:

Ramp-up time was 5 seconds. Virtual users were started.
Test duration was 30 seconds for each reading. Virtual users make wrap requests during this time.
Ramp-down time was 5 seconds. Virtual users were stopped until there were zero active virtual users.

LUNA HSM as a Key Source

On Premises

This deployment includes the following:

Single node of CipherTrust Manager on premises
K6 client on premises
Single node of HSM on premises

The client and CipherTrust Manager were running on an ESXI server on premises.

LUNA HSM Details

HSM Details

Description	Value
Firmware	7.3.3
HSM Model	Luna K7
Authentication Method	Password

4 CPUs - 16 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	6417	160.425	38.2
10	7439	185.975	70
20	7739	193.475	149.58
30	8064	201.6	227.8
40	7850	196.25	330.19

8 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	8649	216.225	25.83
10	12521	313.025	37.35
20	14662	366.55	69.01
30	15191	379.775	111.25
40	15574	389.35	149.22
50	15995	399.875	189.64
60	16517	412.925	228.34
70	16410	410.25	270.49
80	16372	409.3	319.64

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	10515	262.875	20.58
10	15567	389.175	29.24
20	23157	578.925	41.52
30	25030	625.75	58.76
40	27160	679	80.08
50	27867	696.675	101.87
60	29153	728.825	120.48
70	31218	780.45	131.51
80	31819	795.475	151.7
90	31236	780.9	177.71
100	31362	784.05	197.13
120	32079	801.975	239.94
140	34299	857.475	269.27
160	33154	828.85	319.57
180	34108	852.7	352.62

32 CPUs - 64 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	8850	221.25	29
10	17470	436.75	25.49
20	24574	614.35	37.12
30	28185	704.625	52.71
40	29295	732.375	70.91
50	31083	777.075	87.58
60	31544	788.6	106.76
70	33995	849.875	115.62
80	34541	863.525	132.86
90	34809	870.225	154.5
100	36284	907.1	164.85
1820	38269	956.725	191.15
140	37585	939.625	235.08
160	38562	964.05	261.26
180	41302	1032.55	276.91
200	38662	966.55	338.28

Observations

Response time compliance of 250 ms was met for maximum throughput of 201.6 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
Response time compliance of 250 ms was met for maximum throughput of 412.925 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 801.975 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 939.625 per second with CipherTrust Manager instance 32-CPU, 64GB RAM

On Premises: HSM in HA Mode

This deployment includes the following:

Single node of CipherTrust Manager on premises
K6 client on premises
Two nodes of HSM (in HA mode) on premises

The client and CipherTrust Manager were running on an ESXI server on premises.

4 CPUs - 16 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	4717	117.925	53.8
10	7027	175.675	73.43
20	7770	194.25	146.09
30	7889	197.225	229.23
40	8061	201.525	309.91
50	7994	199.85	402.11

8 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	7120	178	32.81
10	11814	295.35	40.29
20	14557	363.925	69.57
30	15326	383.15	109.29
40	15571	389.275	150.45
50	15881	397.025	193.6
60	15949	398.725	237.86
70	16390	409.75	275.83
80	16784	419.6	310.83

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	8331	208.275	32.07
10	14113	352.825	38.62
20	21387	534.675	47.64
30	25447	636.175	60.41
40	26807	670.175	80.62
50	27384	684.6	103.42
60	29015	725.375	120.79
70	29526	738.15	140.61
80	29720	743	163.5
90	30491	762.275	184.32
100	33468	836.7	185.99
120	32335	808.375	236.31
140	33262	831.55	272.81
160	34228	855.7	306.12

32 CPUs - 64 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	11447	286.175	18.51
10	17737	443.425	25.25
20	25487	637.175	37.36
30	28283	707.075	52.92
40	30154	753.85	68.63
50	31038	775.95	86.95
60	32136	803.4	104.09
70	32707	817.675	122.54
80	33368	834.2	138.19
90	34698	867.45	153.94
100	34974	874.35	170.31
120	35335	883.375	209.76
140	37249	931.225	233.61
160	39185	979.625	257.74
180	40636	1015.9	282.5
200	40225	1005.625	321.77

Observations

Response time compliance of 250 ms was met for maximum throughput of 197.225 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
Response time compliance of 250 ms was met for maximum throughput of 398.725 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 808.375 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 979.625 per second with CipherTrust Manager instance 32-CPU, 64GB RAM

On Premises: HSM Partition in Export and Clone Mode

This deployment includes the following:

Single node of CipherTrust Manager on premises
K6 client on premises
Single node of HSM (in Export mode and Clone mode) on premises

The client and CipherTrust Manager were running on an ESXI server on premises.

The same test was run on an HSM partition in Export mode and in Clone mode.

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	11626	290.65	18.7
10	17207	430.175	26.65
20	23629	590.725	40.64
30	26649	666.225	56.69
40	28244	706.1	75.9
50	30268	756.7	91.25
60	29977	749.425	115.54
70	31210	780.25	132.04
80	30973	774.325	156.8
90	32168	804.2	172.54
100	32093	802.325	194.87
120	32810	820.25	232.88
140	33404	835.1	272.62
160	33936	848.4	311.64
180	34352	858.8	346.99

Observations

Response time compliance of 250 ms was met for maximum throughput of 820.25 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
Changing the partition mode between Export and Clone does not affect the performance results

On Premises: HSM in STC Mode

This deployment includes the following:

Single node of CipherTrust Manager on premises
K6 client on premises
Single node of HSM (in STC mode) on premises

The client and CipherTrust Manager were running on an ESXI server on premises.

LUNA HSM Details

HSM Details

Description	Value
Firmware	7.7.1
HSM Model	Luna K7
Authentication Method	Password

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	10599	264.975	21.14
10	16368	409.2	26.43
20	23533	588.325	43.03
30	27183	679.575	53.06
40	30416	760.4	66.19
50	30069	751.725	101.49
60	30884	772.1	108.08
70	32613	815.325	123.71
80	33007	825.175	142.4
90	33877	846.925	161.19
100	34065	851.625	180.97
120	35043	876.075	216.67
140	35988	899.7	252.51
160	35878	896.95	293.16
180	36052	901.3	337.21

Observations

Response time compliance of 250 ms was met for maximum throughput of 899.7 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
The HSM connection modes of NTLS and STC do not have a significant affect on the performance

CipherTrust Manager as a Key Source

On Premises

This deployment includes the following:

Single node of CipherTrust Manager on premises
K6 client on premises

The client and CipherTrust Manager were running on an ESXI server on premises.

4 CPUs - 16 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	8510	212.75	29.03
10	10133	253.325	52.61
20	11152	278.8	106.15
30	11394	284.85	169.52
40	10860	271.5	244.49
50	11451	286.275	302.89
60	11063	276.575	383.66

8 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	11798	294.95	19.45
10	17161	429.025	27.79
20	20268	506.7	51.13
30	21386	534.65	82.13
40	21969	549.225	113.14
50	22379	559.475	144.25
60	23037	575.925	175.97
70	22801	570.025	211.29
80	23142	578.55	241.78
90	23061	576.525	274.22
100	23457	586.425	306.06
120	23635	590.875	372.63

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	11391	284.775	19.06
10	23371	584.275	19.77
20	30927	773.175	32.26
30	34358	858.95	44.6
40	36294	907.35	60.16
50	37700	942.5	76.02
60	39599	989.975	90.09
70	38926	973.15	110.56
80	39171	979.275	126.28
90	41262	1031.55	143.05
100	41297	1032.425	158.09
120	41551	1038.775	198.72
140	43151	1078.775	227.83
160	43624	1090.6	263.1
180	44129	1103.225	304.2
200	44702	1117.55	332.17

Observations

Response time compliance of 250 ms was met for maximum throughput of 271.5 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
Response time compliance of 250 ms was met for maximum throughput of 578.55 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 1078.775 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
A higher performance was achieved when using CipherTrust Manager as key source than when using Luna HSM as a key source

Cloud Setup - Single Instance

This deployment includes a single node of CipherTrust Manager on AWS. Both the client and CipherTrust Manager were located within the US-east-1 AWS region.

4 CPUs - 16 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	7412	185.3	32.79
10	8564	214.1	59.86
20	9018	225.45	122.48
30	9510	237.75	185
40	9244	231.1	260.8
50	9524	238.1	322.38
60	9684	242.1	392.73
70	9557	238.925	468.32

8 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	12481	312.025	17.58
10	15702	392.55	29.56
20	18556	463.9	55.02
30	19545	488.625	83.04
40	19984	499.6	113.95
50	20106	502.65	149.06
60	20663	516.575	180.41
70	20103	502.575	219.07
80	20987	524.675	252.1
90	21099	527.475	281.43
100	21173	529.325	317.68
120	21393	534.825	391.56

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	15686	392.15	13.36
10	24273	606.825	17.84
20	30902	772.55	29.54
30	32702	817.55	43.63
40	34677	866.925	60
50	34974	874.35	79.16
60	36647	916.175	94.96
70	38011	950.275	107.72
80	35837	895.925	132.45
90	35405	885.125	146.82
100	36002	900.05	165.35
120	35361	884.025	206.5
140	39063	976.575	233.96
160	39408		985.2
180	39184	979.6	318.8
200	38916	972.9	347.38

32 CPUs - 64 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	17306	432.65	11.83
10	28453	711.325	14.53
20	38729	968.225	22.97
30	42225	1055.625	32.22
40	51005	1275.125	39.41
50	51377	1284.425	49.39
60	52529	1313.225	61.11
70	51125	1278.125	72.39
80	51579	1289.475	86.62
90	54137	1353.425	93.75
100	55027	1375.675	104.44
120	54448	1361.2	129.75
140	55070	1376.75	152.41
160	52307	1307.675	180.67
180	54636	1365.9	204.4
200	44447	1111.175	285.16
220	57374	1434.35	250.38
240	59045	1476.125	274.32
260	58714	1467.85	307.63
280	59894	1497.35	332.61

Observations

Response time compliance of 250 ms was met for maximum throughput of 231.1 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
Response time compliance of 250 ms was met for maximum throughput of 524.675 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 976.575 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 1365.9 per second with CipherTrust Manager instance 32-CPU, 64GB RAM

Cloud Setup - Load Balancer

This deployment includes two clustered CipherTrust Manager nodes on AWS and a load balancer. Both the client and CipherTrust Manager were located within the US-east-1 AWS region.

4 CPUs - 16 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	10081	252.025	24.15
10	14260	356.5	33.86
20	15435	385.875	86.28
30	16966	424.15	103.89
40	17491	437.275	130.42
50	17855	446.375	163.93
60	17895	447.375	195.9
70	17806	445.15	244.63
80	18268	456.7	260.42
90	17918	447.95	304.45
100	18112	452.8	337.82
120	18144	453.6	413.05

8 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	13457	336.425	16.03
10	21938	548.45	21.56
20	27638	690.95	40.91
30	32318	807.95	46.13
40	34758	868.95	57.83
50	35890	897.25	78.44
60	36666	916.65	88.03
70	37719	942.975	101.69
80	37940	948.5	118.99
90	38338	958.45	134.58
100	38435	960.875	154.33
120	36956	923.9	194.45
140	38131	953.275	229.37
160	38592	964.8	263.27
180	39510	987.75	297.57
200	39571	989.275	334.09
220	40530	1013.25	363.02

16 CPUs - 32 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	14709	367.725	12.75
10	26304	657.6	14.62
20	42689	1067.225	21.53
30	51823	1295.575	26.77
40	55646	1391.15	34.3
50	60475	1511.875	38.64
60	60898	1522.45	48.04
70	64793	1619.825	56.89
80	65893	1647.325	61.39
90	66369	1659.225	71.48
100	66631	1665.775	83.73
120	69175	1729.375	99.65
140	71426	1785.65	113.87
160	71782	1794.55	135.1
180	72782	1819.55	153.48
200	73658	1841.45	168.49
220	76260	1906.5	186.69
240	73950	1848.75	209.86
260	66287	1657.175	241.72
280	76840	1921	239.81
300	76351	1908.775	261.08
320	78116	1952.9	276.64
340	76553	1913.825	297.67
360	79986	1999.65	308.26

32 CPUs - 64 GB RAM

Number of Virtual Users	Total Operations	Throughput (Operations/Sec)	90% Time
5	18754	468.85	10.87
10	33671	841.775	12.39
20	54332	1358.3	16.03
30	68193	1704.825	21.44
40	79129	1978.225	23.85
50	86548	2163.7	26.98
60	84338	2108.45	42.98
70	97056	2426.4	36.09
80	99822	2495.55	40.38
90	101842	2546.05	48.61
100	103843	2596.075	51.82
120	104963	2624.075	61.16
140	110959	2773.975	70.12
160	112717	2817.925	80.68
180	113767	2844.175	92.96
200	114289	2857.225	103.67
220	112580	2814.5	118.61
240	115057	2876.425	131.81
260	114213	2855.325	141.83
280	107781	2694.525	165.64
300	115342	2883.55	167.38
320	114820	2870.5	176.93
340	117586	2939.65	190.51
360	117645	2941.125	203.35
380	117415	2935.375	213.19
400	118410	2960.25	225.01
420	118069	2951.725	236.61
440	118479	2961.975	252.71
460	118453	2961.325	263.82
480	118114	2952.85	279.36
500	119242	2981.05	294.79

Observations

Response time compliance of 250 ms was met for maximum throughput of 445.15 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
Response time compliance of 250 ms was met for maximum throughput of 953.275 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 1921 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
Response time compliance of 250 ms was met for maximum throughput of 2961 per second with CipherTrust Manager instance 32-CPU, 64GB RAM

Conclusion

The performance improves with higher number of CPUs. The minimum number of CPUs and RAM required: 4 CPUs and 16 GB RAM.
Performance linearly improves with adding more CipherTrust Manager nodes.
Partition mode (Export vs Clone) does not have any impact on performance.
Changing HSM connections (STC vs NTLS) does not have significant affect on performance.
Different models of Luna 7 HSMs have their maximum throughput. Depending on your requirement, ensure to choose a model that can meet your needs. Ensure the HSM throughput does not become a bottle neck for the deployment. Refer to Luna HSM documentation for more information.
The results captured was for one HYOK key in one key store, which represents the total throughput. When the number of key stores is higher, the total throughput will be cumulative across key stores.

Suggest A Change

AWS XKS Performance Summary

Tested Environments

Network Requirements

Test Process

AWS XKS Deployment Results

LUNA HSM as a Key Source

On Premises

LUNA HSM Details

4 CPUs - 16 GB RAM

8 CPUs - 32 GB RAM

16 CPUs - 32 GB RAM

32 CPUs - 64 GB RAM

Observations

On Premises: HSM in HA Mode

4 CPUs - 16 GB RAM

8 CPUs - 32 GB RAM

16 CPUs - 32 GB RAM

32 CPUs - 64 GB RAM

Observations

On Premises: HSM Partition in Export and Clone Mode

16 CPUs - 32 GB RAM

Observations

On Premises: HSM in STC Mode

LUNA HSM Details

16 CPUs - 32 GB RAM

Observations

CipherTrust Manager as a Key Source

On Premises

4 CPUs - 16 GB RAM

8 CPUs - 32 GB RAM

16 CPUs - 32 GB RAM

Observations

Cloud Setup - Single Instance

4 CPUs - 16 GB RAM

8 CPUs - 32 GB RAM

16 CPUs - 32 GB RAM

32 CPUs - 64 GB RAM

Observations

Cloud Setup - Load Balancer

4 CPUs - 16 GB RAM

8 CPUs - 32 GB RAM

16 CPUs - 32 GB RAM

32 CPUs - 64 GB RAM

Observations

Conclusion