Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve decryption lookup performance #660

Open
ejholmes opened this issue Sep 20, 2018 · 1 comment
Open

Improve decryption lookup performance #660

ejholmes opened this issue Sep 20, 2018 · 1 comment

Comments

@ejholmes
Copy link
Contributor

ejholmes commented Sep 20, 2018

The KMS lookup is really handy for field level encryption, but it's also really slow if you use it a lot. This is because:

  1. Each ${kms} lookup is a separate network call to kms:Decrypt
  2. kms:Decrypt calls happen sequentially, instead of in parallel.

It may be nice to support a new ${decrypt} lookup, using something like NaCl secretbox, backed by a data encryption key from kms. This would allow you to keep a top level data encryption key (e.g. returned from kms:GenerateDataKey) and use it to perform fast decryption of field level values within variables.

An example stacker config might look like:

encryption:
  key_a: ${kms us-east-1@<ciphertext>}

stacks:
  - name: app
    variables:
      SuperSecretThing: ${decrypt key_a@<ciphertext>}
@phobologic
Copy link
Member

Sounds likea great idea.

@russellballestrini russellballestrini changed the title More performant decryption lookup Increase decryption lookup performance Sep 21, 2018
@ejholmes ejholmes changed the title Increase decryption lookup performance Improve decryption lookup performance Sep 22, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants