stacker icon indicating copy to clipboard operation
stacker copied to clipboard
verified publisher icon cloudtools

Improve decryption lookup performance

Open ejholmes opened this issue 7 years ago • 1 comments

The KMS lookup is really handy for field level encryption, but it's also really slow if you use it a lot. This is because:

  1. Each ${kms} lookup is a separate network call to kms:Decrypt
  2. kms:Decrypt calls happen sequentially, instead of in parallel.

It may be nice to support a new ${decrypt} lookup, using something like NaCl secretbox, backed by a data encryption key from kms. This would allow you to keep a top level data encryption key (e.g. returned from kms:GenerateDataKey) and use it to perform fast decryption of field level values within variables.

An example stacker config might look like:

encryption:
  key_a: ${kms us-east-1@<ciphertext>}

stacks:
  - name: app
    variables:
      SuperSecretThing: ${decrypt key_a@<ciphertext>}

ejholmes avatar Sep 20 '18 00:09 ejholmes

Sounds likea great idea.

phobologic avatar Sep 21 '18 16:09 phobologic