AWS XKS Performance Summary
We have tested different environments to capture performance metrics for the CipherTrust Cloud Key Manager (CCKM) AWS External Key Service integration. The performance results provided within this document demonstrate the effects of deployment choices on throughput for AWS HYOK key encrypt operations for one key within one key store. This can help you plan your CipherTrust Manager deployment to meet your performance needs for AWS XKS integration. There is an AWS requirement that encrypt and decrypt requests must be completed within 250 ms. Thus, the results are presented to show the throughput possible before meeting that threshold.
All environments used an open source k6.io tool (https://k6.io/) as the REST client to simulate encrypt requests from AWS KMS. The client ran on a virtual machine with 80 GB system volume, 16 CPUs, and 32 GB of memory. For the deployments using LUNA HSM as a key source, the HSM model of Luna K7 was employed.
Actual performance numbers in your environment may be different. The results can vary based on factors, such as how and where the CipherTrust Manager is deployed, CipherTrust Manager resources, the location of cloud KMS, the key source of your choice, the network connectivity between the CipherTrust Manager, AWS Cloud and your key source, as well as how the traffic is load balanced.
Tested Environments
The following deployments were tested:
-
Luna Network HSM as a key source on premises:
-
Single node of CipherTrust Manager on premises, K6 client on premises, Single node of HSM
-
Single node of CipherTrust Manager on premises, K6 client on premises, Two nodes of HSM in HA mode
-
Single node of CipherTrust Manager on premises, K6 client on premises, HSM in Export mode and Clone mode
-
-
CipherTrust Manager as a key source:
-
Single node CipherTrust Manager on premises, K6 client on premises
-
Single node of CipherTrust Manager on AWS, K6 client on AWS
-
Two clustered CipherTrust Manager nodes on AWS, K6 client on AWS
-
CipherTrust Managers were deployed as geographically close to the K6 client as possible to avoid potential network latencies, which can occur when crossing geographic regions. In your CCKM deployment, we similarly recommend deploying the virtual CipherTrust Manager instance geographically close to one of the AWS KMS regions where you intend to set up the AWS XKS. We recommend a network latency of round-trip communication of 35 ms or less between AWS KMS and the CipherTrust Manager. Also, if you are using Luna Network HSM as your key source for AWS HYOK, ensure the CipherTrust Manager and the HSM are geographically close and has the lowest possible latency. We recommend a network latency of round-trip communication of 25 ms or less between the CipherTrust Manager and the HSM.
The following graph shows that by increasing the latency between the CipherTrust Manager and the HSM, the performance degrades.
Network Requirements
The following ports were opened to ensure CipherTrust Manager communication:
Used to communicate with CipherTrust Manager:
| Type | Protocol | Port Number |
|---|---|---|
| SSH | TCP | 22 |
| HTTPS | TCP | 443 |
| postgresql (for cluster) | TCP | 5432 |
Used for Connection to LUNA HSM:
| Type | Protocol | Port Number |
|---|---|---|
| Secure Trusted Channel (STC) | TCP | 5656 |
| network trust link service (NTLS) | TCP | 1792 |
Test Process
The test consisted of starting a given number of virtual users to perform encrypt operations on the AWS XKS/HYOK key. Each user simulated a separate thread. Total test duration was 40 seconds for each reading. The test was divided into the following increments:
- Ramp-up time was 5 seconds. Virtual users were started.
- Test duration was 30 seconds for each reading. Virtual users make wrap requests during this time.
- Ramp-down time was 5 seconds. Virtual users were stopped until there were zero active virtual users.
AWS XKS Deployment Results
LUNA HSM as a Key Source
On Premises
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Single node of HSM on premises
The client and CipherTrust Manager were running on an ESXI server on premises.
LUNA HSM Details
HSM Details
| Description | Value |
|---|---|
| Firmware | 7.3.3 |
| HSM Model | Luna K7 |
| Authentication Method | Password |
4 CPUs - 16 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 6417 | 160.425 | 38.2 |
| 10 | 7439 | 185.975 | 70 |
| 20 | 7739 | 193.475 | 149.58 |
| 30 | 8064 | 201.6 | 227.8 |
| 40 | 7850 | 196.25 | 330.19 |
8 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 8649 | 216.225 | 25.83 |
| 10 | 12521 | 313.025 | 37.35 |
| 20 | 14662 | 366.55 | 69.01 |
| 30 | 15191 | 379.775 | 111.25 |
| 40 | 15574 | 389.35 | 149.22 |
| 50 | 15995 | 399.875 | 189.64 |
| 60 | 16517 | 412.925 | 228.34 |
| 70 | 16410 | 410.25 | 270.49 |
| 80 | 16372 | 409.3 | 319.64 |
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 10515 | 262.875 | 20.58 |
| 10 | 15567 | 389.175 | 29.24 |
| 20 | 23157 | 578.925 | 41.52 |
| 30 | 25030 | 625.75 | 58.76 |
| 40 | 27160 | 679 | 80.08 |
| 50 | 27867 | 696.675 | 101.87 |
| 60 | 29153 | 728.825 | 120.48 |
| 70 | 31218 | 780.45 | 131.51 |
| 80 | 31819 | 795.475 | 151.7 |
| 90 | 31236 | 780.9 | 177.71 |
| 100 | 31362 | 784.05 | 197.13 |
| 120 | 32079 | 801.975 | 239.94 |
| 140 | 34299 | 857.475 | 269.27 |
| 160 | 33154 | 828.85 | 319.57 |
| 180 | 34108 | 852.7 | 352.62 |
32 CPUs - 64 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 8850 | 221.25 | 29 |
| 10 | 17470 | 436.75 | 25.49 |
| 20 | 24574 | 614.35 | 37.12 |
| 30 | 28185 | 704.625 | 52.71 |
| 40 | 29295 | 732.375 | 70.91 |
| 50 | 31083 | 777.075 | 87.58 |
| 60 | 31544 | 788.6 | 106.76 |
| 70 | 33995 | 849.875 | 115.62 |
| 80 | 34541 | 863.525 | 132.86 |
| 90 | 34809 | 870.225 | 154.5 |
| 100 | 36284 | 907.1 | 164.85 |
| 1820 | 38269 | 956.725 | 191.15 |
| 140 | 37585 | 939.625 | 235.08 |
| 160 | 38562 | 964.05 | 261.26 |
| 180 | 41302 | 1032.55 | 276.91 |
| 200 | 38662 | 966.55 | 338.28 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 201.6 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 412.925 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 801.975 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 939.625 per second with CipherTrust Manager instance 32-CPU, 64GB RAM
On Premises: HSM in HA Mode
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Two nodes of HSM (in HA mode) on premises
The client and CipherTrust Manager were running on an ESXI server on premises.
4 CPUs - 16 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 4717 | 117.925 | 53.8 |
| 10 | 7027 | 175.675 | 73.43 |
| 20 | 7770 | 194.25 | 146.09 |
| 30 | 7889 | 197.225 | 229.23 |
| 40 | 8061 | 201.525 | 309.91 |
| 50 | 7994 | 199.85 | 402.11 |
8 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 7120 | 178 | 32.81 |
| 10 | 11814 | 295.35 | 40.29 |
| 20 | 14557 | 363.925 | 69.57 |
| 30 | 15326 | 383.15 | 109.29 |
| 40 | 15571 | 389.275 | 150.45 |
| 50 | 15881 | 397.025 | 193.6 |
| 60 | 15949 | 398.725 | 237.86 |
| 70 | 16390 | 409.75 | 275.83 |
| 80 | 16784 | 419.6 | 310.83 |
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 8331 | 208.275 | 32.07 |
| 10 | 14113 | 352.825 | 38.62 |
| 20 | 21387 | 534.675 | 47.64 |
| 30 | 25447 | 636.175 | 60.41 |
| 40 | 26807 | 670.175 | 80.62 |
| 50 | 27384 | 684.6 | 103.42 |
| 60 | 29015 | 725.375 | 120.79 |
| 70 | 29526 | 738.15 | 140.61 |
| 80 | 29720 | 743 | 163.5 |
| 90 | 30491 | 762.275 | 184.32 |
| 100 | 33468 | 836.7 | 185.99 |
| 120 | 32335 | 808.375 | 236.31 |
| 140 | 33262 | 831.55 | 272.81 |
| 160 | 34228 | 855.7 | 306.12 |
32 CPUs - 64 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 11447 | 286.175 | 18.51 |
| 10 | 17737 | 443.425 | 25.25 |
| 20 | 25487 | 637.175 | 37.36 |
| 30 | 28283 | 707.075 | 52.92 |
| 40 | 30154 | 753.85 | 68.63 |
| 50 | 31038 | 775.95 | 86.95 |
| 60 | 32136 | 803.4 | 104.09 |
| 70 | 32707 | 817.675 | 122.54 |
| 80 | 33368 | 834.2 | 138.19 |
| 90 | 34698 | 867.45 | 153.94 |
| 100 | 34974 | 874.35 | 170.31 |
| 120 | 35335 | 883.375 | 209.76 |
| 140 | 37249 | 931.225 | 233.61 |
| 160 | 39185 | 979.625 | 257.74 |
| 180 | 40636 | 1015.9 | 282.5 |
| 200 | 40225 | 1005.625 | 321.77 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 197.225 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 398.725 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 808.375 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 979.625 per second with CipherTrust Manager instance 32-CPU, 64GB RAM
On Premises: HSM Partition in Export and Clone Mode
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Single node of HSM (in Export mode and Clone mode) on premises
The client and CipherTrust Manager were running on an ESXI server on premises.
The same test was run on an HSM partition in Export mode and in Clone mode.
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 11626 | 290.65 | 18.7 |
| 10 | 17207 | 430.175 | 26.65 |
| 20 | 23629 | 590.725 | 40.64 |
| 30 | 26649 | 666.225 | 56.69 |
| 40 | 28244 | 706.1 | 75.9 |
| 50 | 30268 | 756.7 | 91.25 |
| 60 | 29977 | 749.425 | 115.54 |
| 70 | 31210 | 780.25 | 132.04 |
| 80 | 30973 | 774.325 | 156.8 |
| 90 | 32168 | 804.2 | 172.54 |
| 100 | 32093 | 802.325 | 194.87 |
| 120 | 32810 | 820.25 | 232.88 |
| 140 | 33404 | 835.1 | 272.62 |
| 160 | 33936 | 848.4 | 311.64 |
| 180 | 34352 | 858.8 | 346.99 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 820.25 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- Changing the partition mode between Export and Clone does not affect the performance results
On Premises: HSM in STC Mode
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Single node of HSM (in STC mode) on premises
The client and CipherTrust Manager were running on an ESXI server on premises.
LUNA HSM Details
HSM Details
| Description | Value |
|---|---|
| Firmware | 7.7.1 |
| HSM Model | Luna K7 |
| Authentication Method | Password |
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 10599 | 264.975 | 21.14 |
| 10 | 16368 | 409.2 | 26.43 |
| 20 | 23533 | 588.325 | 43.03 |
| 30 | 27183 | 679.575 | 53.06 |
| 40 | 30416 | 760.4 | 66.19 |
| 50 | 30069 | 751.725 | 101.49 |
| 60 | 30884 | 772.1 | 108.08 |
| 70 | 32613 | 815.325 | 123.71 |
| 80 | 33007 | 825.175 | 142.4 |
| 90 | 33877 | 846.925 | 161.19 |
| 100 | 34065 | 851.625 | 180.97 |
| 120 | 35043 | 876.075 | 216.67 |
| 140 | 35988 | 899.7 | 252.51 |
| 160 | 35878 | 896.95 | 293.16 |
| 180 | 36052 | 901.3 | 337.21 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 899.7 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- The HSM connection modes of NTLS and STC do not have a significant affect on the performance
CipherTrust Manager as a Key Source
On Premises
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
The client and CipherTrust Manager were running on an ESXI server on premises.
4 CPUs - 16 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 8510 | 212.75 | 29.03 |
| 10 | 10133 | 253.325 | 52.61 |
| 20 | 11152 | 278.8 | 106.15 |
| 30 | 11394 | 284.85 | 169.52 |
| 40 | 10860 | 271.5 | 244.49 |
| 50 | 11451 | 286.275 | 302.89 |
| 60 | 11063 | 276.575 | 383.66 |
8 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 11798 | 294.95 | 19.45 |
| 10 | 17161 | 429.025 | 27.79 |
| 20 | 20268 | 506.7 | 51.13 |
| 30 | 21386 | 534.65 | 82.13 |
| 40 | 21969 | 549.225 | 113.14 |
| 50 | 22379 | 559.475 | 144.25 |
| 60 | 23037 | 575.925 | 175.97 |
| 70 | 22801 | 570.025 | 211.29 |
| 80 | 23142 | 578.55 | 241.78 |
| 90 | 23061 | 576.525 | 274.22 |
| 100 | 23457 | 586.425 | 306.06 |
| 120 | 23635 | 590.875 | 372.63 |
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 11391 | 284.775 | 19.06 |
| 10 | 23371 | 584.275 | 19.77 |
| 20 | 30927 | 773.175 | 32.26 |
| 30 | 34358 | 858.95 | 44.6 |
| 40 | 36294 | 907.35 | 60.16 |
| 50 | 37700 | 942.5 | 76.02 |
| 60 | 39599 | 989.975 | 90.09 |
| 70 | 38926 | 973.15 | 110.56 |
| 80 | 39171 | 979.275 | 126.28 |
| 90 | 41262 | 1031.55 | 143.05 |
| 100 | 41297 | 1032.425 | 158.09 |
| 120 | 41551 | 1038.775 | 198.72 |
| 140 | 43151 | 1078.775 | 227.83 |
| 160 | 43624 | 1090.6 | 263.1 |
| 180 | 44129 | 1103.225 | 304.2 |
| 200 | 44702 | 1117.55 | 332.17 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 271.5 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 578.55 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 1078.775 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- A higher performance was achieved when using CipherTrust Manager as key source than when using Luna HSM as a key source
Cloud Setup - Single Instance
This deployment includes a single node of CipherTrust Manager on AWS. Both the client and CipherTrust Manager were located within the US-east-1 AWS region.
4 CPUs - 16 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 7412 | 185.3 | 32.79 |
| 10 | 8564 | 214.1 | 59.86 |
| 20 | 9018 | 225.45 | 122.48 |
| 30 | 9510 | 237.75 | 185 |
| 40 | 9244 | 231.1 | 260.8 |
| 50 | 9524 | 238.1 | 322.38 |
| 60 | 9684 | 242.1 | 392.73 |
| 70 | 9557 | 238.925 | 468.32 |
8 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 12481 | 312.025 | 17.58 |
| 10 | 15702 | 392.55 | 29.56 |
| 20 | 18556 | 463.9 | 55.02 |
| 30 | 19545 | 488.625 | 83.04 |
| 40 | 19984 | 499.6 | 113.95 |
| 50 | 20106 | 502.65 | 149.06 |
| 60 | 20663 | 516.575 | 180.41 |
| 70 | 20103 | 502.575 | 219.07 |
| 80 | 20987 | 524.675 | 252.1 |
| 90 | 21099 | 527.475 | 281.43 |
| 100 | 21173 | 529.325 | 317.68 |
| 120 | 21393 | 534.825 | 391.56 |
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 15686 | 392.15 | 13.36 |
| 10 | 24273 | 606.825 | 17.84 |
| 20 | 30902 | 772.55 | 29.54 |
| 30 | 32702 | 817.55 | 43.63 |
| 40 | 34677 | 866.925 | 60 |
| 50 | 34974 | 874.35 | 79.16 |
| 60 | 36647 | 916.175 | 94.96 |
| 70 | 38011 | 950.275 | 107.72 |
| 80 | 35837 | 895.925 | 132.45 |
| 90 | 35405 | 885.125 | 146.82 |
| 100 | 36002 | 900.05 | 165.35 |
| 120 | 35361 | 884.025 | 206.5 |
| 140 | 39063 | 976.575 | 233.96 |
| 160 | 39408 | 985.2 | |
| 180 | 39184 | 979.6 | 318.8 |
| 200 | 38916 | 972.9 | 347.38 |
32 CPUs - 64 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 17306 | 432.65 | 11.83 |
| 10 | 28453 | 711.325 | 14.53 |
| 20 | 38729 | 968.225 | 22.97 |
| 30 | 42225 | 1055.625 | 32.22 |
| 40 | 51005 | 1275.125 | 39.41 |
| 50 | 51377 | 1284.425 | 49.39 |
| 60 | 52529 | 1313.225 | 61.11 |
| 70 | 51125 | 1278.125 | 72.39 |
| 80 | 51579 | 1289.475 | 86.62 |
| 90 | 54137 | 1353.425 | 93.75 |
| 100 | 55027 | 1375.675 | 104.44 |
| 120 | 54448 | 1361.2 | 129.75 |
| 140 | 55070 | 1376.75 | 152.41 |
| 160 | 52307 | 1307.675 | 180.67 |
| 180 | 54636 | 1365.9 | 204.4 |
| 200 | 44447 | 1111.175 | 285.16 |
| 220 | 57374 | 1434.35 | 250.38 |
| 240 | 59045 | 1476.125 | 274.32 |
| 260 | 58714 | 1467.85 | 307.63 |
| 280 | 59894 | 1497.35 | 332.61 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 231.1 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 524.675 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 976.575 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 1365.9 per second with CipherTrust Manager instance 32-CPU, 64GB RAM
Cloud Setup - Load Balancer
This deployment includes two clustered CipherTrust Manager nodes on AWS and a load balancer. Both the client and CipherTrust Manager were located within the US-east-1 AWS region.
4 CPUs - 16 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 10081 | 252.025 | 24.15 |
| 10 | 14260 | 356.5 | 33.86 |
| 20 | 15435 | 385.875 | 86.28 |
| 30 | 16966 | 424.15 | 103.89 |
| 40 | 17491 | 437.275 | 130.42 |
| 50 | 17855 | 446.375 | 163.93 |
| 60 | 17895 | 447.375 | 195.9 |
| 70 | 17806 | 445.15 | 244.63 |
| 80 | 18268 | 456.7 | 260.42 |
| 90 | 17918 | 447.95 | 304.45 |
| 100 | 18112 | 452.8 | 337.82 |
| 120 | 18144 | 453.6 | 413.05 |
8 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 13457 | 336.425 | 16.03 |
| 10 | 21938 | 548.45 | 21.56 |
| 20 | 27638 | 690.95 | 40.91 |
| 30 | 32318 | 807.95 | 46.13 |
| 40 | 34758 | 868.95 | 57.83 |
| 50 | 35890 | 897.25 | 78.44 |
| 60 | 36666 | 916.65 | 88.03 |
| 70 | 37719 | 942.975 | 101.69 |
| 80 | 37940 | 948.5 | 118.99 |
| 90 | 38338 | 958.45 | 134.58 |
| 100 | 38435 | 960.875 | 154.33 |
| 120 | 36956 | 923.9 | 194.45 |
| 140 | 38131 | 953.275 | 229.37 |
| 160 | 38592 | 964.8 | 263.27 |
| 180 | 39510 | 987.75 | 297.57 |
| 200 | 39571 | 989.275 | 334.09 |
| 220 | 40530 | 1013.25 | 363.02 |
16 CPUs - 32 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 14709 | 367.725 | 12.75 |
| 10 | 26304 | 657.6 | 14.62 |
| 20 | 42689 | 1067.225 | 21.53 |
| 30 | 51823 | 1295.575 | 26.77 |
| 40 | 55646 | 1391.15 | 34.3 |
| 50 | 60475 | 1511.875 | 38.64 |
| 60 | 60898 | 1522.45 | 48.04 |
| 70 | 64793 | 1619.825 | 56.89 |
| 80 | 65893 | 1647.325 | 61.39 |
| 90 | 66369 | 1659.225 | 71.48 |
| 100 | 66631 | 1665.775 | 83.73 |
| 120 | 69175 | 1729.375 | 99.65 |
| 140 | 71426 | 1785.65 | 113.87 |
| 160 | 71782 | 1794.55 | 135.1 |
| 180 | 72782 | 1819.55 | 153.48 |
| 200 | 73658 | 1841.45 | 168.49 |
| 220 | 76260 | 1906.5 | 186.69 |
| 240 | 73950 | 1848.75 | 209.86 |
| 260 | 66287 | 1657.175 | 241.72 |
| 280 | 76840 | 1921 | 239.81 |
| 300 | 76351 | 1908.775 | 261.08 |
| 320 | 78116 | 1952.9 | 276.64 |
| 340 | 76553 | 1913.825 | 297.67 |
| 360 | 79986 | 1999.65 | 308.26 |
32 CPUs - 64 GB RAM
| Number of Virtual Users | Total Operations | Throughput (Operations/Sec) | 90% Time |
|---|---|---|---|
| 5 | 18754 | 468.85 | 10.87 |
| 10 | 33671 | 841.775 | 12.39 |
| 20 | 54332 | 1358.3 | 16.03 |
| 30 | 68193 | 1704.825 | 21.44 |
| 40 | 79129 | 1978.225 | 23.85 |
| 50 | 86548 | 2163.7 | 26.98 |
| 60 | 84338 | 2108.45 | 42.98 |
| 70 | 97056 | 2426.4 | 36.09 |
| 80 | 99822 | 2495.55 | 40.38 |
| 90 | 101842 | 2546.05 | 48.61 |
| 100 | 103843 | 2596.075 | 51.82 |
| 120 | 104963 | 2624.075 | 61.16 |
| 140 | 110959 | 2773.975 | 70.12 |
| 160 | 112717 | 2817.925 | 80.68 |
| 180 | 113767 | 2844.175 | 92.96 |
| 200 | 114289 | 2857.225 | 103.67 |
| 220 | 112580 | 2814.5 | 118.61 |
| 240 | 115057 | 2876.425 | 131.81 |
| 260 | 114213 | 2855.325 | 141.83 |
| 280 | 107781 | 2694.525 | 165.64 |
| 300 | 115342 | 2883.55 | 167.38 |
| 320 | 114820 | 2870.5 | 176.93 |
| 340 | 117586 | 2939.65 | 190.51 |
| 360 | 117645 | 2941.125 | 203.35 |
| 380 | 117415 | 2935.375 | 213.19 |
| 400 | 118410 | 2960.25 | 225.01 |
| 420 | 118069 | 2951.725 | 236.61 |
| 440 | 118479 | 2961.975 | 252.71 |
| 460 | 118453 | 2961.325 | 263.82 |
| 480 | 118114 | 2952.85 | 279.36 |
| 500 | 119242 | 2981.05 | 294.79 |
Observations
- Response time compliance of 250 ms was met for maximum throughput of 445.15 per second with CipherTrust Manager instance 4-CPU, 16GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 953.275 per second with CipherTrust Manager instance 8-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 1921 per second with CipherTrust Manager instance 16-CPU, 32GB RAM
- Response time compliance of 250 ms was met for maximum throughput of 2961 per second with CipherTrust Manager instance 32-CPU, 64GB RAM
Conclusion
- The performance improves with higher number of CPUs. The minimum number of CPUs and RAM required: 4 CPUs and 16 GB RAM.
- Performance linearly improves with adding more CipherTrust Manager nodes.
- Partition mode (Export vs Clone) does not have any impact on performance.
- Changing HSM connections (STC vs NTLS) does not have significant affect on performance.
- Different models of Luna 7 HSMs have their maximum throughput. Depending on your requirement, ensure to choose a model that can meet your needs. Ensure the HSM throughput does not become a bottle neck for the deployment. Refer to Luna HSM documentation for more information.
- The results captured was for one HYOK key in one key store, which represents the total throughput. When the number of key stores is higher, the total throughput will be cumulative across key stores.