feat(kms-app): ZeroKMS vs AWS KMS load-test harness#18
Open
coderdan wants to merge 2 commits into
Open
Conversation
A self-contained Next.js + Artillery subproject for comparing field-level encryption backends under HTTP load, replacing the older lost harness. - Swappable backend via ENCRYPTION_BACKEND (zerokms via @cipherstash/stack, aws-kms via @aws-sdk/client-kms) behind a common EncryptionBackend interface - CRUD API: POST /api/users (encrypt+store), GET /api/users/:id (read+decrypt), GET /api/health (readiness) - Artillery profile (create-then-read flow) + results summarizer - Uses the benches native Postgres cluster (:5400); sql/schema.sql - README documents fairness caveats (direct-KMS vs envelope encryption) and the run/compare workflow Self-contained npm scripts; does not touch the root mise.toml. Not yet installed/built (needs network + backend credentials).
KMS protects a local AES-256 data key; field values are encrypted locally with AES-256-GCM. Removes the 4KB direct-KMS limit and, via data-key caching (ENVELOPE_DATA_KEY_MAX_USES), avoids one KMS call per value — the fairer high-throughput comparison against ZeroKMS. - new backend behind the existing EncryptionBackend interface; selectable via ENCRYPTION_BACKEND=aws-kms-envelope - write-side DEK reuse + bounded read-side plaintext-DEK cache - serve/load npm scripts; report now spans all three backends (skips any not run) - README fairness section + .env.example updated; naive aws-kms TODO resolved Local AES-GCM round-trip + auth-tag tamper rejection verified standalone.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scaffolds a self-contained Next.js + Artillery subproject under
kms-app/for comparing field-level encryption backends under HTTP load. Replaces the older comparison app (which appears lost) and gives it a home next to the EQL/PostgreSQL benchmarks.What it does
The same thin CRUD app, same Postgres, same load profile — only the encryption backend changes, selected per server process by
ENCRYPTION_BACKEND:zerokms@cipherstash/stack), unique key per recordaws-kmsaws-kms-envelopeENVELOPE_DATA_KEY_MAX_USES)All three implement a common
EncryptionBackendinterface (lib/encryption/). API:POST /api/users(encrypt+store),GET /api/users/:id(read+decrypt),GET /api/health(readiness). Artillery drives a create-then-read flow;scripts/summarize.mjsturns the JSON outputs into a side-by-side latency/throughput table (skips any backend you didn't run).Why three AWS variants matter
aws-kms(direct) is 4 KB-limited and region-rate-limited — a saturation run partly measures KMS throttling.aws-kms-envelopeis how AWS recommends encrypting bulk application data and, with data-key caching, is the fair high-throughput comparison (setENVELOPE_DATA_KEY_MAX_USES=1for the no-caching worst case). Report write and read paths separately. Full fairness notes in the README.Conventions
:5400);sql/schema.sqlresults/(gitignored, dir kept)package.jsonscripts — does not touch the rootmise.tomlStatus
npm install-ed or built — needs network + backend credentials. The@cipherstash/stackAPI surface is modeled on the published docs examples; confirm on install.load/users.ymlagainst the original Artillery Cloud scenario (sharesh_75edb…); add a committable Markdownreport:build. This harness is the intended source for the docs' currently-unsourced "14× faster than AWS KMS" claim (Finish ZeroKMS vs HSM comparison + add comparison diagrams docs#32).