-
Type: Task
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Client Side Encryption, Performance
-
None
-
Needed
-
Summary
Investigate options to enable use of native crypto in libmongocrypt bindings.
I expect this will require a scope document and prototyping.
Motivation
By default, libmongocrypt implements crypto primitives (including AES, HMAC, SHA) by linking to a native crypto library (OpenSSL on Linux, CommonCrypto on macOS, Cryptography API on Windows).
Alternatively: libmongocrypt can be configured without crypto using the CMake option DISABLE_NATIVE_CRYPTO. The "no crypto" version of libmongocrypt is used by driver languages that supply crypto callbacks. On last survey: Java, Python, C#, Ruby, Node, and Rust implement the crypto callbacks.
MONGOCRYPT-112 describes original motivation of the crypto callbacks:
For certain languages like Java and C# on Linux, we need to ship a binary but this binary cannot depend on the system OpenSSL.
The mongodb-crypt JAR and pymongocrypt wheel include generic Linux binaries of libmongocrypt.
Use of crypto callbacks may result in slower throughput. HELP-27047 identified a problematic workload: decrypting documents with 1500 encrypted values.
A benchmark of bulk decryption showed the most improvement when using libmongocrypt’s native system crypto, rather than the callbacks in the Java bindings:
Baseline: +264.5%
Using Java binding improvements: +173.19%
Using bulk callbacks and Java binding improvements: +146.0%
Using native crypto: +82.79%
Some bindings provide an option to use a system install of libmongocrypt (example: PYMONGOCRYPT_LIB in pymongocrypt). It may be possible to extend this to other drivers.
Who is the affected end user?
Users of In-Use Encryption.
How does this affect the end user?
Proposed changes may improve throughput of encryption and decryption.
How likely is it that this problem or use case will occur?
Certain. This was reported in HELP-27047.
If the problem does occur, what are the consequences and how severe are they?
Performance concern.
Is this issue urgent?
No.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
Acceptance Criteria
Expect improved throughput of encryption and decryption in impacted drivers.
- depends on
-
MONGOCRYPT-616 Add API to determine if built with native crypto
- Closed
- is duplicated by
-
DRIVERS-2717 Enable use of native crypto in libmongocrypt bindings
- Closed
- is related to
-
DRIVERS-2581 Benchmark and use `mongocrypt_binary_t` definition to improve performance of In-Use Encryption
- Closed
- split to
-
JAVA-5306 Enable use of native crypto in libmongocrypt bindings
- Closed
-
NODE-5875 Enable use of native crypto in libmongocrypt bindings
- Closed
-
CDRIVER-4821 Enable use of native crypto in libmongocrypt bindings
- Closed
-
CSHARP-4944 Enable use of native crypto in libmongocrypt bindings
- Closed
-
CXX-2817 Enable use of native crypto in libmongocrypt bindings
- Closed
-
GODRIVER-3112 Enable use of native crypto in libmongocrypt bindings
- Closed
-
MOTOR-1242 Enable use of native crypto in libmongocrypt bindings
- Closed
-
PHPLIB-1387 Enable use of native crypto in libmongocrypt bindings
- Closed
-
PYTHON-4181 [pymongocrypt] Enable use of native crypto in libmongocrypt bindings
- Closed
-
RUST-1835 Enable use of native crypto in libmongocrypt bindings
- Closed
-
RUBY-3386 Enable use of native crypto in libmongocrypt bindings
- Backlog