Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does AWS RDS encryption with KMS affect performance?

Amazon states that

Encryption and decryption are handled transparently so you don’t have to modify your application to access your data

My application (Rails, MySQL, Elasticsearch) builds a lot of graphics and therefore queries a lot of data. From my prior experience with database encryption, it really affects data retrieving speed (as we can only say if record matches condition after reading and decryptng it).

Is there any relevant benchmarks? Or maybe you have worked with such server-side encryption from AWS? Do I need to worry about performance changes at all?

Also it's not quite clear for me is it possible to also encrypt Elasticsearch data in same 'transparent' way. I'd also use your advice on that

like image 286
borisano Avatar asked Aug 14 '16 13:08

borisano


People also ask

Does RDS encryption affect performance?

After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption.

How do I improve my AWS RDS performance?

An Amazon RDS performance best practice is to allocate enough RAM so that your working set resides almost completely in memory. The working set is the data and indexes that are frequently in use on your instance. The more you use the DB instance, the more the working set will grow.

What encryption does AWS use for RDS?

Amazon RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance.

When you enable encryption for RDS DB instance what would not be encrypted?

Once the disk encryption function is enabled, you cannot disable it or change the key after a DB instance is created. The backup data stored in OBS will not be encrypted. After an RDS DB instance is created, do not disable or delete the key that is being used.


1 Answers

From my prior experience with database encryption, it really affects data retrieving speed (as we can only say if record matches condition after reading and decryptng it).

That would be the case if each value of each record was encrypted before being inserted into the database. That's not how RDS encryption works. RDS encryption works by enabling encryption of the EBS volume(s) that the database is stored on. To the RDS database engine the data does not appear to be encrypted. It's the same as enabling encryption on an EBS volume attached to your EC2 server.

Regarding performance, I have not noticed any decrease in performance when enabling encryption on RDS and EBS. Per the AWS documentation here:

you can expect the same IOPS performance on encrypted volumes as you would with unencrypted volumes, with a minimal effect on latency.


Note that this is "encryption at rest". If you also need the data to be "encrypted in transit" then you will need to look into using SSL connections for all your database connections, and possibly enabling a setting in your database to enforce SSL connections.


Regarding your second question, AWS does not appear to support encryption-at-rest for the ElasticSearch service at this time. For encryption-in-transit you can use HTTPS connections, as per the AWS Support response to this question:

You can use https for encrypted communication with your domain.

Communication between nodes is not encrypted. The nodes themselves are hosted within our VPC, and all communication between nodes remains within it.

like image 160
Mark B Avatar answered Sep 25 '22 12:09

Mark B