[Client encryption]: Optimize encryption/decryption flows #4678

juraj-blazek · 2024-09-12T12:01:16Z

Is your feature request related to a problem? Please describe.
When using the Microsoft.Azure.Cosmos.Encryption.Custom encryption package, there is a big jump in CPU and memory consumption, leading to higher compute cost, higher GC pressure, and lower throughput. This is especially sensitive in the large-scale services.

See sample benchmark results of the EncryptionProcessor (PR adding the performance tests):

Method	DocumentSizeInKb	Mean	Error	StdDev	Gen0	Gen1	Gen2	Allocated
Encrypt	1	60.05 μs	1.537 μs	2.300 μs	5.0659	1.2817	-	62.65 KB
Decrypt	1	70.76 μs	0.812 μs	1.164 μs	5.7373	1.4648	-	71.22 KB
Encrypt	10	165.23 μs	3.741 μs	5.365 μs	21.2402	3.6621	-	262.38 KB
Decrypt	10	231.32 μs	4.627 μs	6.635 μs	29.5410	3.4180	-	363.84 KB
Encrypt	100	2,572.40 μs	242.163 μs	362.458 μs	201.1719	126.9531	125.0000	2466.27 KB
Decrypt	100	2,952.48 μs	397.387 μs	557.081 μs	255.8594	210.9375	160.1563	3412.88 KB

Describe the solution you'd like
As a first step, we need to bring the allocations down as much as possible. We already started updating the core Microsoft.Data.Encryption.Cryptography dependency to add allocation-free APIs. We'll follow with contributions to Cosmos DB SDK to have them utilized.

Describe alternatives you've considered
Not using encryption. This is not a viable alternative.

Additional context
This is a placeholder issue where we'll link any optimizations PR to.

The text was updated successfully, but these errors were encountered:

…mos.Encryption.Custom` (#4679) # Pull Request Template ## Description Adding a `Microsoft.Azure.Cosmos.Encryption.Custom.Performance.Tests` with `Encrypt`/`Decrypt` benchmarks for different document size. Attaching also initial baseline report with the current memory allocations. ## Type of change Please delete options that are not relevant. - [x] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description Switches usages of `JsonTextReader` and `JsonTextWriter` to use `ArrayPool<char>.Shared` for better performance and reduced memory allocations. Arrays returned to pool are zeroed for increased data security (at benchmarked cost of ~3.5% extra mean compared to non-zeroed returns). ## Type of change Please delete options that are not relevant. - [] Bug fix (non-breaking change which fixes an issue) ## Closing issues Contributes to #4678 Co-authored-by: Kiran Kumar Kolli <[email protected]>

…4739) # Pull Request Template ## Description 1. Switch frequent constants string comparison mode to `ordinal` 2. Reduce allocations and validations complexity ## Type of change Please delete options that are not relevant. - [] Bug fix (non-breaking change which fixes an issue) ## Closing issues Contributes to #4678

# Pull Request Template ## Description On Encryption path we are switching to MDE API with offsets. This allows reducing of allocations. To sustain compatibility, enhanced API is backward implemented to obsoleted local copy of encryption algorithm. No performance optimizations on obsoleted code paths. ## Type of change Please delete options that are not relevant. - [] Bug fix (non-breaking change which fixes an issue) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description Cleanup of code styling issues in Cosmos.Encryption.Custom.* projects as set up by editorconfig. ## Type of change Please delete options that are not relevant. - [] Bug fix (non-breaking change which fixes an issue) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description Switch both MDE encryption and encryption paths to use MDE2.0 api ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]>

# Pull Request Template ## Description Refactor EncryptionProcessor - split code paths for deprecated local implementation of Aes, split individual transformers to improve maintainability and testability, split preview/stable To be processed after #4753 ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description - This is preliminary step to enable Brotli compression on Cosmos.Encryption.Custom. - .NET8.0 target was added to the project - New compiler complaints were addressed To be processed after #4757 ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]>

# Pull Request Template ## Description Initial commit for JsonNode on Encryption path. This is currently not executed on any production/preview path. Depends on JsonNode features available from System.Text.Json 8.0+. - Adds JsonNodeSqlSerializer - JObjectSqlSerializer now doesn't format inner serialized JArrays/JObjects (with line breaks/indentations) To be processed after #4766 ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]>

# Pull Request Template ## Description - Add Brotli compression for .NET8.0 target - To stabilize performance tests duration results, GC was reconfigured to server mode (reduces StdDev 42% -> 5%) Brotli compression is now available for .NET8.0 target. All encrypted fields matching criteria are compressed before encryption. The option is configurable via `Microsoft.Azure.Cosmos.Encryption.Custom.EncryptionOptions` property `CompressionOptions` `CompressionOptions` structure: - `Algorithm` : `CompressionOptions.CompressionAlgoritm` suports `None` and `Brotli` (for .NET8.0+), defaults to None. - `CompressionLevel` : `System.IO.Compression.CompressionLevel` - defaults to CompressionLevel.Fastest - `MinimalCompressedLength` : determines minimal size of encrypted serialized Json text for compression. Defaults to 128 bytes. It is suggested to benchmark your use cases, different settings can lead to different ratio of compute vs storage costs. Default settings in general should save both cpu time and memory consumption. **Warn: make sure all your instances are upgraded to version supporting compression BEFORE enabling it.** To be processed after #4766 ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description - Added support for System.Text.JsonNode DOM on encryption path - Configuration option to select Json Processor (defaults to Newtonsoft) - Custom byte[] coverter supporting offset+length for JsonNode - Perf tests expanded to cover both json processors (JsonNode decryption still uses Newtonsoft, this will be upgraded with further PRs) To be processed after #4779 ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) - [] This change requires a documentation update ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]>

…4787) # Pull Request Template ## Description - Added support for System.Text.JsonNode DOM on deserializer and decryption path - Drops custom byte[] converter as JsonNode can take Memory<byte> directly To be processed after #4780 ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) - [] This change requires a documentation update ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description - JsonProcessor.Stream was added to drop DOM overhead. - EncryptionProcessor has added overloads allowing consumer provision of output stream - tests were extended to new processor - performance tests were extended by provided stream overloads. RecyclableMemoryStream 3.0.1 is being used. ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) - [] This change might require a documentation update ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

# Pull Request Template ## Description With new Stream based processor the JsonNode option is excessive and not really needed. We are dropping all of its code. ## Type of change Please delete options that are not relevant. - [] New feature (non-breaking change which adds functionality) ## Closing issues Contributes to #4678 --------- Co-authored-by: Juraj Blazek <[email protected]> Co-authored-by: juraj-blazek <[email protected]> Co-authored-by: Santosh Kulkarni <[email protected]> Co-authored-by: Kiran Kumar Kolli <[email protected]>

microsoft-github-policy-service bot added needs-investigation customer-reported Issue created by a customer labels Sep 12, 2024

juraj-blazek mentioned this issue Sep 12, 2024

[INTERNAL] [Client encryption]: Add baseline benchmarks for Microsoft.Azure.Cosmos.Encryption.Custom #4679

Merged

1 task

JanHyka mentioned this issue Sep 27, 2024

[Client encryption]: Switch Newtonsoft.Json to use ArrayPool #4726

Merged

This was referenced Oct 1, 2024

[Client encryption]: Fixes Faster validations and string comparisons #4739

Merged

[Client encryption]: Drop allocations on MDE Encryption path #4740

Merged

JanHyka mentioned this issue Oct 4, 2024

[Client encryption]: Address code styling errors and warnings #4747

Merged

This was referenced Oct 6, 2024

[Client encryption]: Switch to non-allocating MDE 2.0 api #4753

Merged

[Client encryption]: Refactor EncryptionProcessor #4757

Merged

This was referenced Oct 8, 2024

[Client encryption]: Add .NET8.0 target #4766

Merged

[Client encryption]: Adds support for Brotli compression #4769

Merged

[Client encryption]: Add JsonNodeSqlSerializer #4779

Merged

[Client encryption]: Add JsonNode Encryption processor #4780

Merged

JanHyka mentioned this issue Oct 10, 2024

[Client encryption]: Adds JsonNode support on deserialization path #4787

Merged

JanHyka mentioned this issue Oct 15, 2024

[Client encryption]: Adds Stream based processor #4806

Merged

This was referenced Oct 24, 2024

[Client encryption]: Drops JsonNode based processor #4846

Merged

[Client encryption]: Drops RentArrayBufferWriter #4847

Open

JanHyka mentioned this issue Oct 24, 2024

[Client encryption]: Implement EncryptionContainerStream #4848

Draft

JanHyka mentioned this issue Nov 6, 2024

[Client encryption]: Fixes handling of escaped utf8 strings in StreamProcessor #4871

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Client encryption]: Optimize encryption/decryption flows #4678

[Client encryption]: Optimize encryption/decryption flows #4678

juraj-blazek commented Sep 12, 2024 •

edited

Loading

[Client encryption]: Optimize encryption/decryption flows #4678

[Client encryption]: Optimize encryption/decryption flows #4678

Comments

juraj-blazek commented Sep 12, 2024 • edited Loading

juraj-blazek commented Sep 12, 2024 •

edited

Loading