Does AWS RDS encryption with KMS affect performance?

主宰稳场 提交于 2019-12-22 02:25:11

问题


Amazon states that

Encryption and decryption are handled transparently so you don’t have to modify your application to access your data

My application (Rails, MySQL, Elasticsearch) builds a lot of graphics and therefore queries a lot of data. From my prior experience with database encryption, it really affects data retrieving speed (as we can only say if record matches condition after reading and decryptng it).

Is there any relevant benchmarks? Or maybe you have worked with such server-side encryption from AWS? Do I need to worry about performance changes at all?

Also it's not quite clear for me is it possible to also encrypt Elasticsearch data in same 'transparent' way. I'd also use your advice on that


回答1:


From my prior experience with database encryption, it really affects data retrieving speed (as we can only say if record matches condition after reading and decryptng it).

That would be the case if each value of each record was encrypted before being inserted into the database. That's not how RDS encryption works. RDS encryption works by enabling encryption of the EBS volume(s) that the database is stored on. To the RDS database engine the data does not appear to be encrypted. It's the same as enabling encryption on an EBS volume attached to your EC2 server.

Regarding performance, I have not noticed any decrease in performance when enabling encryption on RDS and EBS. Per the AWS documentation here:

you can expect the same IOPS performance on encrypted volumes as you would with unencrypted volumes, with a minimal effect on latency.


Note that this is "encryption at rest". If you also need the data to be "encrypted in transit" then you will need to look into using SSL connections for all your database connections, and possibly enabling a setting in your database to enforce SSL connections.


Regarding your second question, AWS does not appear to support encryption-at-rest for the ElasticSearch service at this time. For encryption-in-transit you can use HTTPS connections, as per the AWS Support response to this question:

You can use https for encrypted communication with your domain.

Communication between nodes is not encrypted. The nodes themselves are hosted within our VPC, and all communication between nodes remains within it.



来源:https://stackoverflow.com/questions/38942918/does-aws-rds-encryption-with-kms-affect-performance

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!