Google EKM Performance Summary
We have tested six environments to capture performance metrics for the CipherTrust Cloud Key Manager (CCKM) Google External Key Manager (EKM) integration. The results provided in this document demonstrate the effects of deployment choices on throughput for EKM endpoint wrap operations. The results can help you plan your CipherTrust Manager deployment to meet your performance needs for Google EKM.
There is a Google requirement that wrap and unwrap requests must be completed within 150 ms and so results are presented to show the throughput possible before meeting that threshold.
Note
Actual performance numbers in your environment can be different. The results can vary based on factors such as how and where the CipherTrust Manager is deployed, CipherTrust Manager resources, the location of clients, the network connectivity, and how the traffic is load-balanced.
Tested Environments
All environments used an open source k6.io tool as the REST client, run from a Debian virtual machine. The Virtual Machine was hosted on Google Cloud Platform (GCP) in us central 1a zone with 8 vCPUs of 64 GB memory, and 50 GB memory disk.
The following CipherTrust Manager deployments were tested:
Google Cloud Platform deployments:
AWS Cloud deployments:
CipherTrust Managers were deployed as geographically close to the k6.io client as possible, to avoid potential network latencies which can occur when crossing geographic regions.In your EKM deployment, we similarly recommend deploying the Virtual CipherTrust Manager instance geographically close to one of the Google Cloud KMS regions where you intend to set up the Google Cloud KMS key ring.
Network Requirements
The following ports were opened to ensure CipherTrust Manager/CCKM communication:
| Type | Protocol | Port Range |
|---|---|---|
| SSH | TCP | 22 |
| HTTPS | TCP | 443 |
| PostgeSQL (for cluster) | TCP | 5432 |
Test Process
The test consisted of starting a given number of virtual users to perform wrap operations on the EKM endpoint. Each user simulated a separate thread.
Total test duration was 40 seconds for each reading. The test was divided into the following increments:
Ramp-up time was 5 seconds. Virtual users were started.
Test duration was 30 seconds for each reading. Virtual users make wrap requests during that time.
Ramp-down time was 5 seconds. Virtual users were stopped until there were zero active virtual users.
Repeating the Test in Your Environment
We have published the scripts used with k6.io on Github, for you to repeat the tests in your own environments as desired.
Google Cloud Deployment Results
For each environment, operations per second are charted against response time (within 90% of the operations). The Google threshold of 150 ms is shown.
GCP Single Node with 4 CPUs 16 GB RAM
This deployment includes a single node with 4 CPUs and 16 GB memory. Both the CCKM instance and k6 client are on GCP. Here are details of this deployment:
| Setup | System Volume | CPUs | Memory | CM Location |
|---|---|---|---|---|
| k6 Client | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 4 | 16 GB | us-central1-a |
| Virtual Users | Run time | operations/second | Time taken (ms) |
|---|---|---|---|
| 10 | 40 | 17.128677 | 12.28 |
| 20 | 40 | 34.131589 | 15.65 |
| 30 | 40 | 51.078121 | 21.17 |
| 40 | 40 | 67.495063 | 28.18 |
| 50 | 40 | 84.489887 | 25.68 |
| 60 | 40 | 99.229655 | 51.26 |
| 70 | 40 | 115.031462 | 74.41 |
| 80 | 40 | 128.49213 | 107.74 |
| 90 | 40 | 140.081857 | 167.61 |
| 100 | 40 | 147.564764 | 239.16 |
| 110 | 40 | 159.864781 | 231.13 |
| 120 | 40 | 170.39233 | 261.07 |
GCP Single Node with 8 CPUs 64 GB RAM
This deployment includes a single node with 8 CPUs and 64 GB memory. Both the CCKM instance and k6 client are on GCP. Here are details of this deployment:
| Setup | System Volume | CPUs | Memory | CM Location |
|---|---|---|---|---|
| k6 Client | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 8 | 64 GB | us-central1-a |
| Virtual Users | Run time | operations/second | Time taken (ms) |
|---|---|---|---|
| 10 | 40 | 17.195846 | 10.71 |
| 20 | 40 | 34.483597 | 11.42 |
| 30 | 40 | 51.238013 | 14.41 |
| 40 | 40 | 68.537726 | 14.78 |
| 50 | 40 | 85.408548 | 13.61 |
| 60 | 40 | 102.824163 | 16.55 |
| 70 | 40 | 119.151866 | 15.62 |
| 80 | 40 | 136.375668 | 15.51 |
| 90 | 40 | 153.182252 | 16.48 |
| 100 | 40 | 171.242637 | 15.70 |
| 110 | 40 | 187.627874 | 18.24 |
| 120 | 40 | 204.609053 | 21.36 |
| 130 | 40 | 220.006562 | 28.71 |
| 140 | 40 | 236.131067 | 27.01 |
| 150 | 40 | 254.164297 | 27.95 |
| 160 | 40 | 269.268795 | 35.34 |
| 170 | 40 | 284.350237 | 46.32 |
| 180 | 40 | 297.665916 | 64.83 |
| 190 | 40 | 317.407079 | 44.94 |
| 200 | 40 | 333.846892 | 41.24 |
| 210 | 40 | 342.163071 | 81.55 |
| 220 | 40 | 357.614392 | 83.49 |
| 230 | 40 | 368.557695 | 105.36 |
| 240 | 40 | 383.538218 | 104.80 |
| 250 | 40 | 397.327756 | 125.62 |
| 260 | 40 | 405.167935 | 143.98 |
| 270 | 40 | 415.166388 | 172.50 |
| 280 | 40 | 421.803097 | 192.47 |
| 290 | 40 | 445.06695 | 154.35 |
| 300 | 40 | 449.011222 | 197.75 |
| 310 | 40 | 445.623924 | 232.46 |
GCP Two Node Cluster with 4 CPUs 16 GB RAM each
This deployment includes two clustered CipherTrust Manager nodes and a load balancer. Each node has 4 CPUs and 16 GB RAM. The CCKM instances, load balancer, and k6 client are on GCP. Here are details of this deployment:
| Setup | System Volume | CPUs | Memory | CM Location |
|---|---|---|---|---|
| k6 Client | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 4 | 16 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 4 | 16 GB | us-central1-a |
| Virtual Users | Run time | operations/second | Time taken |
|---|---|---|---|
| 10 | 40 | 16.933648 | 25.36 |
| 20 | 40 | 33.919138 | 27.43 |
| 30 | 40 | 50.790014 | 24.65 |
| 40 | 40 | 67.988872 | 25.38 |
| 50 | 40 | 84.994217 | 24.36 |
| 60 | 40 | 101.052646 | 25.73 |
| 70 | 40 | 117.893556 | 27.03 |
| 80 | 40 | 134.42209 | 29.42 |
| 90 | 40 | 151.622632 | 26.88 |
| 100 | 40 | 167.016231 | 34.71 |
| 110 | 40 | 183.838216 | 31.55 |
| 120 | 40 | 199.663086 | 40.23 |
| 130 | 40 | 215.480264 | 52.79 |
| 140 | 40 | 231.106931 | 47.81 |
| 150 | 40 | 246.236306 | 56.34 |
| 160 | 40 | 260.515979 | 69.89 |
| 170 | 40 | 276.584743 | 71.87 |
| 180 | 40 | 285.872371 | 103.50 |
| 190 | 40 | 298.094234 | 127.96 |
| 200 | 40 | 312.950692 | 133.10 |
| 210 | 40 | 323.618858 | 174.34 |
| 220 | 40 | 320.245097 | 249.39 |
GCP Two Node Cluster with 8 CPUs 64 GB RAM each
This deployment includes two clustered CipherTrust Manager nodes and a load balancer. Each node has 8 CPUs and 64 GB RAM. The CCKM instances, load balancer, and k6 client are on GCP. Here are details of this deployment:
| Setup | System Volume | CPUs | Memory | CM Location |
|---|---|---|---|---|
| k6 Client | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 8 | 64 GB | us-central1-a |
| Virtual Users | Run time | operations/seccond | Time taken |
|---|---|---|---|
| 50 | 40 | 85.517417 | 14.46 |
| 100 | 40 | 169.774173 | 16.39 |
| 150 | 40 | 255.329062 | 18.37 |
| 200 | 40 | 340.257077 | 17.98 |
| 250 | 40 | 425.298916 | 19.19 |
| 300 | 40 | 508.189417 | 21.05 |
| 350 | 40 | 589.549419 | 28.54 |
| 400 | 40 | 672.584463 | 29.66 |
| 450 | 40 | 744.992112 | 51.04 |
| 500 | 40 | 811.565106 | 76.48 |
| 550 | 40 | 868.288425 | 122.31 |
| 600 | 40 | 916.005949 | 170.52 |
| 650 | 40 | 941.168986 | 225.58 |
| 700 | 40 | 966.152862 | 309.11 |
| 750 | 40 | 1030.021185 | 441.66 |
| 800 | 40 | 1036.617214 | 517.10 |
AWS Cloud Deployment Results
For each environment, operations per second are charted against response time (within 90% of the operations).
AWS Cloud Single Node with 4 CPUs 16 GB RAM
This deployment includes a single node with 4 CPUs and 16 GB memory. The CCKM instance is on AWS cloud and the K6 client is on GCP. Here are details of this deployment:
| Setup | System Volume | CPUs | Memory | CM Location |
|---|---|---|---|---|
| k6 Client | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 4 | 16 GB | us-east-1 (N. Virginia) |
| Virtual Users | Run time | operations/second | Time taken (ms) |
|---|---|---|---|
| 10 | 40 | 16.463051 | 38.64 |
| 20 | 40 | 32.609432 | 38.45 |
| 30 | 40 | 48.793795 | 38.33 |
| 40 | 40 | 65.174326 | 39.23 |
| 50 | 40 | 81.490359 | 41.86 |
| 60 | 40 | 97.587339 | 39.93 |
| 70 | 40 | 113.92342 | 41.60 |
| 80 | 40 | 129.689105 | 43.01 |
| 90 | 40 | 144.200816 | 63.91 |
| 100 | 40 | 159.4371 | 72.62 |
| 110 | 40 | 173.811015 | 80.92 |
| 120 | 40 | 189.979549 | 77.67 |
| 130 | 40 | 201.09059 | 115.29 |
| 140 | 40 | 216.295868 | 129.43 |
| 150 | 40 | 223.625394 | 176.25 |
| 160 | 40 | 227.379309 | 236.40 |
AWS Cloud Single Node with 8 CPUs 64 GB RAM
This deployment includes a single node with 8 CPUs and 64 GB memory. The CCKM instance is on AWS cloud and the k6 client is on GCP. Here are details of this deployment:
| Setup | System Volume | CPUs | Memory | CM Location |
|---|---|---|---|---|
| k6 Client | 50 GB | 8 | 64 GB | us-central1-a |
| CipherTrust Manager-2.11.1-9650 | 50 GB | 8 | 64 GB | us-east-1 (N. Virginia) |
| Virtual Users | Run time | operations/second | Time taken (ms) |
|---|---|---|---|
| 10 | 40 | 16.492342 | 33.99 |
| 20 | 40 | 32.90742 | 34.79 |
| 30 | 40 | 49.043675 | 34.04 |
| 40 | 40 | 65.427584 | 35.19 |
| 50 | 40 | 81.827261 | 35.74 |
| 60 | 40 | 98.073539 | 35.01 |
| 70 | 40 | 114.684917 | 35.28 |
| 80 | 40 | 130.841442 | 34.95 |
| 90 | 40 | 146.943168 | 35.58 |
| 100 | 40 | 163.183103 | 36.01 |
| 110 | 40 | 179.882543 | 36.39 |
| 120 | 40 | 196.185992 | 35.59 |
| 130 | 40 | 212.209226 | 36.52 |
| 140 | 40 | 228.54225 | 36.32 |
| 150 | 40 | 244.991603 | 36.47 |
| 160 | 40 | 261.448303 | 35.99 |
| 170 | 40 | 277.951132 | 36.75 |
| 180 | 40 | 291.084292 | 47.64 |
| 190 | 40 | 309.021605 | 38.30 |
| 200 | 40 | 325.403116 | 47.22 |
| 210 | 40 | 340.395326 | 52.90 |
| 220 | 40 | 352.025967 | 72.09 |
| 230 | 40 | 367.930293 | 67.80 |
| 240 | 40 | 384.138939 | 72.09 |
| 250 | 40 | 401.465902 | 64.28 |
| 260 | 40 | 416.115064 | 66.41 |
| 270 | 40 | 427.417691 | 84.61 |
| 280 | 40 | 444.777548 | 74.32 |
| 290 | 40 | 461.519153 | 72.49 |
| 300 | 40 | 469.440098 | 94.77 |
| 310 | 40 | 479.391403 | 113.95 |
| 320 | 40 | 495.338039 | 110.28 |
| 330 | 40 | 509.461413 | 117.88 |
| 340 | 40 | 514.51503 | 139.38 |
| 350 | 40 | 532.468021 | 132.88 |
| 360 | 40 | 543.400011 | 155.49 |
| 370 | 40 | 564.752063 | 139.05 |
| 380 | 40 | 576.253478 | 135.73 |
| 390 | 40 | 581.077997 | 172.77 |
| 400 | 40 | 591.480818 | 178.26 |
| 410 | 40 | 600.98002 | 206.44 |
| 420 | 40 | 611.056859 | 206.72 |
Conclusion
- Adding a second load balanced node scales performance approximately linearly. A larger performance increase was observed from adding CPU and RAM in each cloud environment.
