AWS XKS Performance Summary
We have tested different environments to capture performance metrics for the CipherTrust Cloud Key Manager (CCKM) AWS External Key Service integration. The performance results provided within this document demonstrate the effects of deployment choices on throughput for AWS HYOK key encrypt operations for one key within one key store. This can help you plan your CipherTrust Manager deployment to meet your performance needs for AWS XKS integration. There is an AWS requirement that encrypt and decrypt requests must be completed within 250 ms. Thus, the results are presented to show the throughput possible before meeting that threshold.
All environments used an open source k6.io tool (https://k6.io/) as the REST client to simulate encrypt requests from AWS KMS. The client ran on a virtual machine with 50 GB system volume, 8 CPUs, and 64 GB of memory. For the deployments using LUNA HSM as a key source, the HSM model of Luna K7 was employed.
Note
Actual performance numbers in your environment may be different. The results can vary based on factors, such as how and where the CipherTrust Manager is deployed, CipherTrust Manager resources, the location of cloud KMS, the key source of your choice, the network connectivity between the CipherTrust Manager, AWS Cloud and your key source, as well as how the traffic is load balanced.
Tested Environments
The following deployments were tested:
Luna Network HSM as a key source (on premises or GCP):
Single node of CipherTrust Manager on premises, K6 client on premises, single node of HSM
Single node of CipherTrust Manager on premises, K6 client on premises, two nodes of HSM in HA mode
Single node of CipherTrust Manager on GCP, K6 client on AWS, single node of HSM
Single node of CipherTrust Manager on GCP, K6 client on AWS, two nodes of HSM in HA mode
Single node of CipherTrust Manager on GCP, K6 client on AWS, HSM in Export mode and Clone mode
Two Cluster nodes of CipherTrust Manager on GCP, K6 client on AWS, Two nodes of HSM in HA mode
CipherTrust Manager as a key source (on premises and on AWS):
The following CipherTrust Manager release version was employed in the tested deployments:
| Description | Value |
|---|---|
| Release version | 2.11.1+9742 |
CipherTrust Managers were deployed as geographically close to the K6 client as possible to avoid potential network latencies, which can occur when crossing geographic regions. In your CCKM deployment, we similarly recommend deploying the virtual CipherTrust Manager instance geographically close to one of the AWS KMS regions where you intend to set up the AWS XKS. We recommend a network latency of round-trip communication of 35 ms or less between AWS KMS and the CipherTrust Manager. Also, if you are using Luna Network HSM as your key source for AWS HYOK, ensure the CipherTrust Manager and the HSM are geographically close and has the lowest possible latency. We recommend a network latency of round-trip communication of 25 ms or less between the CipherTrust Manager and the HSM.
The following graph was generated using a model of XKS performance. Simulated data is displayed. In this model, the internal latency of the CCKM was pre-set and the network latency between CipherTrust Manager/CCKM and the HSM was varied. The resulting data displayed in the graph captures the rapid degradation of performance with increasing network latency between CipherTrust Manager/CCKM and the HSM. In other words, increasing the latency to the HSM results in an (undesirable) non-linear degradation in performance.
Network Requirements
The following ports were opened to ensure CipherTrust Manager communication:
Used to communicate with CipherTrust Manager:
| Type | Protocol | Port Number |
|---|---|---|
| SSH | TCP | 22 |
| HTTPS | TCP | 443 |
| postgresql (for cluster) | TCP | 5432 |
Used for Connection to LUNA HSM:
| Type | Protocol | Port Number |
|---|---|---|
| Secure Trusted Channel (STC) | TCP | 5656 |
| network trust link service (NTLS) | TCP | 1792 |
Test process
The test consisted of starting a given number of virtual users to perform encrypt operations on the AWS XKS/HYOK key. Each user simulated a separate thread. Total test duration was 40 seconds for each reading. The test was divided into the following increments:
- Ramp-up time was 5 seconds. Virtual users were started.
- Test duration was 30 seconds for each reading. Virtual users make wrap requests during this time.
- Ramp-down time was 5 seconds. Virtual users were stopped until there were zero active virtual users.
Repeating the test in your environment
We have published the scripts used with k6.io on Github, for you to repeat the tests in your own environments as desired.
AWS XKS deployment results
LUNA HSM as a key source
LUNA HSM details
HSM Details
| Description | Value |
|---|---|
| Firmware | 7.3.3 |
| HSM Model | Luna K6 |
| Authentication Method | Password |
Single node of CipherTrust Manager on premises, K6 client on premises, single node of HSM
4 CPU - 64 GB RAM
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Single node of HSM on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 4 | 16 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms and between the CipherTrust Manager and the HSM is 0.230 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 10 | 14822 | 370.488464 | 44.19 |
| 20 | 19368 | 484.096976 | 58.21 |
| 30 | 18080 | 451.987655 | 100.13 |
| 40 | 18487 | 462.077984 | 130.53 |
| 50 | 19410 | 485.225354 | 154.07 |
| 60 | 18850 | 471.240975 | 195.45 |
| 70 | 18407 | 460.053475 | 226.3 |
| 80 | 20024 | 500.194051 | 252.84 |
| 90 | 19460 | 486.481693 | 280.93 |
| 100 | 18914 | 472.811809 | 326.98 |
| 110 | 19690 | 491.827879 | 372.5 |
| 120 | 18689 | 467.217404 | 401.62 |
| 130 | 19925 | 498.072093 | 382.72 |
| 140 | 19534 | 488.014201 | 456.43 |
| 150 | 20676 | 516.853259 | 507.51 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 500.194051 per second.
8 CPU - 64 GB RAM
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Single node of HSM on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 8 | 64 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms and between the CipherTrust Manager and the HSM is 0.230 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 10 | 21940 | 548.107347 | 22.66 |
| 20 | 33727 | 843.16724 | 31.42 |
| 30 | 32958 | 823.825018 | 56.02 |
| 40 | 34005 | 849.923406 | 74.02 |
| 50 | 39687 | 992.116055 | 84.37 |
| 60 | 35144 | 878.444167 | 116.89 |
| 70 | 37021 | 925.508381 | 139.69 |
| 80 | 40590 | 1014.721688 | 145.48 |
| 90 | 36727 | 918.072933 | 179.38 |
| 100 | 36870 | 921.729155 | 205.61 |
| 110 | 41180 | 1029.403083 | 206.39 |
| 120 | 38085 | 952.035047 | 240.58 |
| 130 | 38755 | 968.739411 | 252.78 |
| 140 | 40895 | 1021.885088 | 265.68 |
| 150 | 40398 | 1009.86079 | 289.82 |
| 160 | 37406 | 934.97733 | 301.1 |
| 170 | 39361 | 983.550359 | 330.49 |
| 180 | 41499 | 1037.318017 | 353.11 |
| 190 | 38867 | 971.597279 | 354.4 |
| 200 | 37825 | 945.438374 | 399.83 |
| 210 | 42467 | 1061.660795 | 410.44 |
| 220 | 37750 | 943.64758 | 436.47 |
| 230 | 38568 | 964.13714 | 456.74 |
| 240 | 42287 | 1057.154044 | 483.3 |
| 250 | 38878 | 971.678607 | 506.67 |
| 260 | 38787 | 969.601137 | 506.7 |
| 270 | 41452 | 1036.028547 | 552.53 |
| 280 | 39361 | 983.826515 | 572.48 |
| 290 | 37992 | 949.628518 | 614.47 |
| 300 | 41278 | 1031.763766 | 617.22 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 968.739411 per second.
Single node of CipherTrust Manager on premises, K6 client on premises, two nodes of HSM in HA mode
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Two nodes of HSM (in HA mode) on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 8 | 64 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms and between the CipherTrust Manager and the HSM is 0.366 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 42222 | 1055.399696 | 78.81 |
| 60 | 41850 | 1046.185283 | 98.45 |
| 70 | 44097 | 1102.260952 | 112.03 |
| 80 | 44598 | 1114.91903 | 133.04 |
| 90 | 43213 | 1080.301058 | 157.67 |
| 100 | 43963 | 1098.998373 | 176.29 |
| 110 | 43768 | 1094.192473 | 196.37 |
| 120 | 44191 | 1104.649837 | 211.35 |
| 130 | 45776 | 1144.330515 | 226.49 |
| 140 | 46178 | 1154.400332 | 242.02 |
| 150 | 45366 | 1134.078952 | 267.5 |
| 160 | 44746 | 1118.625993 | 292.36 |
| 170 | 43144 | 1078.4994 | 327.32 |
| 180 | 40015 | 1000.137207 | 370.45 |
| 190 | 47183 | 1179.329372 | 332.62 |
| 200 | 46888 | 1172.027319 | 360.34 |
| 210 | 44994 | 1124.722164 | 396.35 |
| 220 | 44728 | 1118.090287 | 425.53 |
| 230 | 45386 | 1134.351503 | 432.92 |
| 240 | 43351 | 1083.695209 | 472.14 |
| 250 | 48298 | 1207.424591 | 450.29 |
| 260 | 46645 | 1166.046241 | 487.5 |
| 270 | 46273 | 1156.613088 | 513.93 |
| 280 | 45939 | 1148.383001 | 534.94 |
| 290 | 45849 | 1146.062519 | 570.05 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 1134.078952 per second.
Single node of CipherTrust Manager on premises, K6 client on premises, HSM in Export mode and Clone mode
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
- Two nodes of HSM (in Export mode and Clone mode) on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 8 | 64 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms and between the CipherTrust Manager and the HSM is 0.366 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 36653 | 916.252126 | 92.19 |
| 60 | 39611 | 988.931681 | 104.81 |
| 70 | 39942 | 998.44485 | 116.75 |
| 80 | 39077 | 976.81008 | 147.17 |
| 90 | 37210 | 928.869035 | 159.43 |
| 100 | 39449 | 986.073871 | 172.35 |
| 110 | 39829 | 995.497357 | 204.91 |
| 120 | 38793 | 969.736887 | 230.87 |
| 130 | 45039 | 1125.671565 | 216.52 |
| 140 | 42000 | 1049.847137 | 242.99 |
| 150 | 40730 | 1018.119718 | 272.74 |
| 160 | 43965 | 1099.099161 | 284.36 |
| 170 | 40373 | 1008.48485 | 304.81 |
| 180 | 40497 | 1012.157095 | 310.06 |
| 190 | 45421 | 1135.420918 | 324.31 |
| 200 | 41430 | 1035.709383 | 367.68 |
| 210 | 41805 | 1043.670215 | 380.37 |
| 220 | 41419 | 1035.446943 | 362.59 |
| 230 | 41486 | 1037.122511 | 411.73 |
| 240 | 42016 | 1050.17003 | 436.73 |
| 250 | 46029 | 1150.664962 | 436.38 |
| 260 | 41707 | 1042.623747 | 483.66 |
| 270 | 41874 | 1046.80338 | 506.85 |
| 280 | 46216 | 1155.302438 | 489.6 |
| 290 | 43389 | 1084.552883 | 503.54 |
| 300 | 41946 | 1048.570249 | 567.91 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 1018.119718 per second.
Single node of CipherTrust Manager on GCP, K6 client on AWS, single node of HSM
This deployment includes the following:
- Single node of CipherTrust Manager on GCP Cloud
- K6 client on AWS
- Single node of HSM on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | GCP (us-central-1) |
The network latency between the CipherTrust Manager and the K6 client is 29.476 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 9583 | 239.413903 | 254.37 |
| 60 | 9582 | 239.396327 | 313.11 |
| 70 | 9409 | 235.152891 | 382.31 |
| 80 | 9685 | 241.639279 | 414.86 |
| 90 | 9899 | 247.195932 | 438.65 |
| 100 | 9239 | 230.564444 | 512.74 |
| 11 | 987 | 246.283066 | 532.34 |
| 120 | 9946 | 248.564488 | 587.08 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 239.413903 per second.
Single node of CipherTrust Manager on GCP, K6 client on AWS, two nodes of HSM in HA mode
This deployment includes the following:
- Single node of CipherTrust Manager on GCP Cloud
- K6 client on AWS
- Two nodes of HSM (in HA mode) on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | GCP (us-central-1) |
The network latency between the CipherTrust Manager and the K6 client is 29.476 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 8473 | 211.770214 | 293.19 |
| 60 | 8796 | 219.767535 | 344.01 |
| 70 | 9030 | 225.36262 | 401.19 |
| 80 | 9119 | 227.559996 | 461.01 |
| 90 | 9251 | 231.20168 | 530.24 |
| 100 | 9019 | 225.17429 | 573.95 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 211.770214 per second.
Single node of CipherTrust Manager on GCP, K6 client on AWS, HSM in Export mode and Clone mode
This deployment includes the following:
- Single node of CipherTrust Manager on GCP Cloud
- K6 client on AWS
- Sing node of HSM (in Export mode and Clone mode) on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | GCP (us-central-1) |
The network latency between the CipherTrust Manager and the K6 client is 29.476 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 8855 | 221.314997 | 285.33 |
| 60 | 9569 | 238.829389 | 315.33 |
| 70 | 9709 | 242.311532 | 364.37 |
| 80 | 9772 | 243.883417 | 424.64 |
| 90 | 9715 | 242.555781 | 479.29 |
| 100 | 9403 | 234.881415 | 533.49 |
| 110 | 9885 | 246.753465 | 583.31 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 221.314997 per second.
Two Cluster nodes of CipherTrust Manager on GCP, K6 client on AWS, two nodes of HSM in HA mode
This deployment includes the following:
- Two cluster nodes of CipherTrust Manager on GCP Cloud
- K6 client on AWS
- Two nodes of HSM (in HA mode) on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | GCP (us-central-1) |
| CM-2.11.1 | 50 | 4 | 16 | GCP (us-central-1) |
The network latency between the CipherTrust Manager and the K6 client is 29.476 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 8073 | 201.491849 | 323.26 |
| 60 | 12028 | 300.535836 | 289.25 |
| 70 | 16026 | 400.02639 | 209.51 |
| 80 | 16259 | 405.714295 | 242.97 |
| 90 | 16314 | 407.633572 | 277.7 |
| 100 | 17391 | 434.59756 | 314.73 |
| 110 | 17116 | 427.846397 | 320.92 |
| 120 | 17738 | 442.825828 | 336.91 |
| 130 | 18734 | 467.888171 | 368.49 |
| 140 | 18682 | 466.437955 | 396.66 |
| 150 | 18697 | 466.81158 | 427.09 |
| 160 | 19161 | 478.306436 | 453.75 |
| 170 | 18373 | 459.156292 | 477.44 |
| 180 | 19321 | 482.126969 | 526.24 |
| 190 | 19268 | 480.678308 | 561.78 |
| 200 | 18930 | 472.625649 | 594 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 407.633572 per second.
CipherTrust Manager as a key source
Single node of CipherTrust Manager on premises, K6 client on premises
4 CPU - 16 GB RAM
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 4 | 16 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 90 | 46726 | 1168.127735 | 106.25 |
| 100 | 45656 | 1141.353196 | 115.56 |
| 110 | 47627 | 1190.614976 | 121.09 |
| 120 | 47388 | 1184.652163 | 135.07 |
| 130 | 45875 | 1146.845218 | 150.92 |
| 140 | 47694 | 1192.265223 | 154.17 |
| 150 | 46099 | 1152.391072 | 176.23 |
| 160 | 46753 | 1168.772465 | 185.03 |
| 170 | 46862 | 1171.457966 | 193.13 |
| 180 | 46777 | 1169.389317 | 201.95 |
| 190 | 47740 | 1193.454638 | 214.36 |
| 200 | 45410 | 1135.215976 | 237.02 |
| 210 | 47217 | 1180.386041 | 245.45 |
| 220 | 46165 | 1154.094363 | 253.37 |
| 230 | 46833 | 1170.802745 | 260.4 |
| 240 | 46756 | 1168.802403 | 266.43 |
| 250 | 45592 | 1139.766613 | 293.12 |
| 260 | 47483 | 1187.019384 | 291.09 |
| 270 | 46340 | 1158.41622 | 302.89 |
| 280 | 47134 | 1178.260181 | 304.82 |
| 290 | 47486 | 1187.052589 | 331.72 |
| 300 | 46093 | 1152.273184 | 347.54 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 1154.094363 per second.
8 CPU - 32 GB RAM
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
Here are details of this deployment:
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 8 | 32 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 200 | 108572 | 2714.132852 | 101.53 |
| 210 | 107513 | 2687.632044 | 107.13 |
| 220 | 107969 | 2699.092208 | 110.98 |
| 230 | 108460 | 2710.938208 | 116.41 |
| 240 | 105612 | 2640.272269 | 127.9 |
| 250 | 108884 | 2721.909181 | 128.57 |
| 260 | 105142 | 2628.295135 | 137.59 |
| 270 | 107586 | 2689.522924 | 136.49 |
| 280 | 108137 | 2703.191081 | 138.57 |
| 290 | 108689 | 2717.04585 | 143.47 |
| 300 | 106471 | 2661.621086 | 155.66 |
| 310 | 107243 | 2680.951166 | 155.33 |
| 320 | 104490 | 2611.856954 | 165.83 |
| 330 | 108011 | 2700.101438 | 163.48 |
| 340 | 106931 | 2673.031387 | 189.71 |
| 350 | 106606 | 2665.063073 | 176.93 |
| 360 | 106912 | 2672.510226 | 177 |
| 370 | 103426 | 2585.588873 | 201.11 |
| 380 | 105846 | 2646.028172 | 189.64 |
| 390 | 107108 | 2677.637119 | 195.95 |
| 400 | 106064 | 2651.43707 | 201.99 |
| 410 | 106670 | 2666.640371 | 200.42 |
| 420 | 107517 | 2687.715315 | 205.94 |
| 430 | 106777 | 2669.35678 | 212.39 |
| 440 | 106254 | 2656.301849 | 218.38 |
| 450 | 105980 | 2649.265159 | 226.94 |
| 460 | 108678 | 2716.786957 | 223.25 |
| 470 | 105867 | 2646.405144 | 229.43 |
| 480 | 106560 | 2663.778913 | 239 |
| 490 | 104493 | 2612.032179 | 245.18 |
| 500 | 107428 | 2685.476036 | 245.48 |
| 510 | 107797 | 2694.760117 | 241.88 |
| 520 | 105859 | 2646.351737 | 254.93 |
| 530 | 108447 | 2710.858349 | 253.88 |
| 540 | 107775 | 2693.815777 | 260.54 |
| 550 | 103867 | 2596.150634 | 289.24 |
| 560 | 91027 | 2275.505976 | 329.24 |
| 570 | 98877 | 2471.649406 | 302.61 |
| 580 | 104215 | 2605.251268 | 289.67 |
| 590 | 106646 | 2665.986521 | 291.77 |
| 600 | 105292 | 2631.839692 | 293.82 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 2646.351737 per second.
16 CPU - 32 GB RAM
This deployment includes the following:
- Single node of CipherTrust Manager on premises
- K6 client on premises
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | SanJose Lab ESXi |
| CM-2.11.1 | 50 | 16 | 32 | SanJose Lab ESXi |
The network latency between the CipherTrust Manager and the K6 client is 0.730 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 450 | 237073 | 5926.600974 | 105.09 |
| 500 | 237891 | 5946.404505 | 112.32 |
| 550 | 232386 | 5809.427737 | 125.85 |
| 600 | 239223 | 5979.227757 | 130.02 |
| 650 | 237962 | 5948.605547 | 141.17 |
| 700 | 239296 | 5981.690633 | 150.2 |
| 750 | 238349 | 5958.170732 | 159.48 |
| 800 | 241055 | 6025.977057 | 169.32 |
| 850 | 235010 | 5874.795624 | 182.45 |
| 900 | 225869 | 5646.398802 | 210.82 |
| 950 | 238279 | 5956.255117 | 198.68 |
| 1000 | 237937 | 5947.811578 | 207.82 |
| 1050 | 237716 | 5942.213984 | 218.33 |
| 1100 | 238211 | 5954.88409 | 226 |
| 1150 | 240137 | 6003.072035 | 236.04 |
| 1200 | 242326 | 6057.87667 | 244.45 |
| 1210 | 242763 | 6068.837597 | 246.14 |
| 1220 | 243201 | 6079.798524 | 247.82 |
| 1250 | 244514 | 6112.681305 | 252.87 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 6112.681305 per second.
Single node of CipherTrust Manager on GCP, K6 client on AWS
This deployment includes the following:
- Single node of CipherTrust Manager on GCP Cloud
- K6 client on AWS
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | GCP (us-central-1) |
The network latency between the CipherTrust Manager and the K6 client is 29.476 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 21884 | 547.093178 | 113.14 |
| 60 | 22434 | 560.710964 | 132.19 |
| 70 | 22457 | 561.273174 | 157.98 |
| 80 | 23081 | 576.869185 | 168.56 |
| 90 | 23086 | 576.986894 | 196.33 |
| 100 | 23084 | 576.615912 | 229.77 |
| 110 | 23611 | 589.93677 | 244.65 |
| 120 | 23612 | 389.971801 | 264.87 |
| 130 | 23119 | 577.695201 | 300.05 |
| 140 | 23127 | 577.954035 | 318.79 |
| 150 | 23266 | 581.336016 | 358.63 |
| 160 | 24791 | 619.637581 | 344.87 |
| 170 | 24067 | 601.346708 | 408.58 |
| 180 | 24292 | 607.122047 | 412.1 |
| 190 | 23905 | 597.135154 | 429.96 |
| 200 | 23974 | 599.1375 | 455.52 |
| 210 | 22225 | 555.446348 | 500.47 |
| 220 | 24882 | 621.629199 | 471.24 |
| 230 | 25116 | 627.414426 | 482.22 |
| 240 | 25387 | 634.487322 | 510.06 |
| 250 | 24851 | 389.19375 | 561.02 |
| 260 | 24889 | 622.076392 | 581.02 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 389.971801 per second.
Single node of CipherTrust Manager on AWS, K6 client on AWS
This deployment includes the following:
- Single node of CipherTrust Manager on AWS
- K6 client on AWS
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | AWS (us-east-1) |
The network latency between the CipherTrust Manager and the K6 client is 0.515 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 37535 | 938.334429 | 73.35 |
| 100 | 38745 | 968.593287 | 140.72 |
| 150 | 38386 | 959.62642 | 211.53 |
| 200 | 37192 | 929.770284 | 298.63 |
| 250 | 37392 | 934.748604 | 369.35 |
| 300 | 36731 | 918.200794 | 450.55 |
| 350 | 37259 | 931.380753 | 503 |
| 400 | 37976 | 949.319603 | 550.38 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 929.770284 per second.
Two clustered CipherTrust Manager nodes on AWS, K6 client on AWS
This deployment includes the following:
- Two clustered nodes of CipherTrust Manager on AWS
- K6 client on AWS
| Setup | System Volume (GB) | CPUs | Memory (GB) | Location |
|---|---|---|---|---|
| k6 Client | 50 | 8 | 64 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | AWS (us-east-1) |
| CM-2.11.1 | 50 | 4 | 16 | AWS (us-east-1) |
The network latency between the CipherTrust Manager and the K6 client is 0.515 ms.
Results:
| Number of Virtual Users | Total Operations | Throughput (Ops/Sec) | 90% Time |
|---|---|---|---|
| 50 | 75488 | 1887.087646 | 37.04 |
| 100 | 75724 | 1893.008797 | 74.1 |
| 150 | 78373 | 1959.190548 | 104.05 |
| 200 | 78286 | 1957.096186 | 136.88 |
| 250 | 76990 | 1924.686689 | 174.14 |
| 300 | 78426 | 1960.606549 | 208.27 |
| 350 | 77211 | 1930.219812 | 250.07 |
| 400 | 76152 | 1903.644125 | 282.48 |
| 450 | 78339 | 1958.447676 | 319.52 |
| 500 | 77479 | 1936.947471 | 348.31 |
| 550 | 77423 | 1935.50092 | 379.68 |
| 600 | 78721 | 1967.922819 | 412.16 |
| 650 | 78226 | 1955.612616 | 435.96 |
| 700 | 77420 | 1935.364058 | 477.81 |
| 750 | 78340 | 1958.367054 | 515.7 |
| 800 | 75553 | 1888.684818 | 550.19 |
Observation:
For this deployment, a response time compliance of 250 ms was met for a maximum throughput of 1930.219812 per second.
Conclusion
- The performance improves with higher number of CPUs. The minimum number of CPUs and RAM required: 4 CPUs and 16 GB RAM.
- Performance linearly improves with adding more CipherTrust Manager nodes.
Partition mode (Export vs Clone) does not have any impact on performance.
Changing HSM connections (STC vs NTLS) does not have significant affect on performance.
- If you are using Luna Network HSM as your key source for AWS HYOK, ensure the CipherTrust Manager and the HSM are geographically close and has the lowest possible latency. Increasing the latency to the HSM results in degradation in performance.
Different models of Luna 7 HSMs have their maximum throughput. Depending on your requirement, ensure to choose a model that can meet your needs. Ensure the HSM throughput does not become a bottle neck for the deployment. Refer to Luna HSM documentation for more information. CCKM uses the AES-GCM small packet encryption algorithm on a Luna HSM for AWS XKS operations. Refer to the Luna Network HSM 7 Specifications section under the Specifications tab (next to Overview and Features) within Thales LUNA HSM to view the performance numbers for the various Luna HSM models using the AES-GCM small packet encryption algorithm.
The results captured was for one HYOK key in one key store, which represents the total throughput. When the number of key stores is higher, the total throughput will be cumulative across key stores.
