You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The KMS lookup is really handy for field level encryption, but it's also really slow if you use it a lot. This is because:
Each ${kms} lookup is a separate network call to kms:Decrypt
kms:Decrypt calls happen sequentially, instead of in parallel.
It may be nice to support a new ${decrypt} lookup, using something like NaCl secretbox, backed by a data encryption key from kms. This would allow you to keep a top level data encryption key (e.g. returned from kms:GenerateDataKey) and use it to perform fast decryption of field level values within variables.
The KMS lookup is really handy for field level encryption, but it's also really slow if you use it a lot. This is because:
${kms}
lookup is a separate network call tokms:Decrypt
kms:Decrypt
calls happen sequentially, instead of in parallel.It may be nice to support a new
${decrypt}
lookup, using something like NaCl secretbox, backed by a data encryption key from kms. This would allow you to keep a top level data encryption key (e.g. returned fromkms:GenerateDataKey
) and use it to perform fast decryption of field level values within variables.An example stacker config might look like:
The text was updated successfully, but these errors were encountered: