Item encryptor

Author: rishav-karanjit

db-esdk-performance-testing/benchmarks/config/test-scenarios.yaml

@@ -9,7 +9,7 @@ data_sizes:
     - 10240 # 10KB
   medium:
     - 102400 # 100KB
-    - 400000 # 400KB
+    - 50000000 # 50MB
 
 # Quick test configuration (reduced test set for faster execution)
 quick_config:

db-esdk-performance-testing/benchmarks/go/benchmark/benchmark_tests.go

@@ -7,10 +7,12 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"reflect"
 	"runtime/metrics"
 	"strconv"
 	"time"
 
+	dbesdkitemencryptortypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbitemencryptorsmithygeneratedtypes"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
@@ -120,6 +122,48 @@ func (b *DBESDKBenchmark) runBatchPutGetCycle(data []byte) (float64, float64, er
 	return batchWriteDuration, batchGetDuration, nil
 }
 
+// runBatchPutGetCycle performs a BatchWriteItem-BatchGetItem cycle with 25 items and measures performance
+func (b *DBESDKBenchmark) runItemEncryptorCycle(data []byte) (float64, float64, error) {
+	item := map[string]types.AttributeValue{
+		"partition_key": &types.AttributeValueMemberS{Value: "benchmark-test"},
+		"sort_key":      &types.AttributeValueMemberN{Value: "0"},
+		"attribute1": &types.AttributeValueMemberM{Value: map[string]types.AttributeValue{
+			"data": &types.AttributeValueMemberB{Value: data},
+		}},
+		"attribute2":  &types.AttributeValueMemberS{Value: "sign me!"},
+		":attribute3": &types.AttributeValueMemberS{Value: "ignore me!"},
+	}
+
+	encryptItemInput := &dbesdkitemencryptortypes.EncryptItemInput{
+		PlaintextItem: item,
+	}
+
+	encryptItemStart := time.Now()
+	encryptItemOutput, err := b.ItemEncryptorClient.EncryptItem(context.Background(), *encryptItemInput)
+	if err != nil {
+		return 0, 0, fmt.Errorf("EncryptItem failed: %w", err)
+	}
+	encryptItemDuration := time.Since(encryptItemStart).Seconds() * 1000
+	// Demonstrate that the item has been encrypted
+	encryptedItem := encryptItemOutput.EncryptedItem
+
+	// Directly decrypt the encrypted item using the DynamoDb Item Encryptor
+	decryptItemInput := &dbesdkitemencryptortypes.DecryptItemInput{
+		EncryptedItem: encryptedItem,
+	}
+	decryptItemStart := time.Now()
+	decryptedItem, err := b.ItemEncryptorClient.DecryptItem(context.Background(), *decryptItemInput)
+	if err != nil {
+		return 0, 0, fmt.Errorf("EncryptItem failed: %w", err)
+	}
+	decryptItemDuration := time.Since(decryptItemStart).Seconds() * 1000
+
+	if !reflect.DeepEqual(item, decryptedItem.PlaintextItem) {
+		panic("Decrypted item does not match original item")
+	}
+	return encryptItemDuration, decryptItemDuration, nil
+}
+
 // shouldRunTestType checks if a test type should be run based on quick config
 func (b *DBESDKBenchmark) shouldRunTestType(testType string) bool {
 	if b.Config.QuickConfig == nil || len(b.Config.QuickConfig.TestTypes) == 0 {

db-esdk-performance-testing/benchmarks/go/benchmark/dbesdk_benchmark.go

@@ -13,6 +13,8 @@ import (
 
 	mplsmithygenerated "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated"
 	mpltypes "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes"
+	itemencryptor "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbitemencryptorsmithygenerated"
+	dbesdkitemencryptortypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbitemencryptorsmithygeneratedtypes"
 	dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes"
 	dbesdkstructuredencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkstructuredencryptionsmithygeneratedtypes"
 	"github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware"
@@ -32,12 +34,13 @@ const (
 
 // DBESDKBenchmark is the main benchmark struct
 type DBESDKBenchmark struct {
-	Config        TestConfig
-	DbesdkClient  *dynamodb.Client
-	Keyring       mpltypes.IKeyring
-	Results       []BenchmarkResult
-	CPUCount      int
-	TotalMemoryGB float64
+	Config              TestConfig
+	DbesdkClient        *dynamodb.Client
+	ItemEncryptorClient *itemencryptor.Client
+	Keyring             mpltypes.IKeyring
+	Results             []BenchmarkResult
+	CPUCount            int
+	TotalMemoryGB       float64
 }
 
 // New creates a new benchmark instance
@@ -64,7 +67,7 @@ func New(configPath string) (*DBESDKBenchmark, error) {
 	}
 
 	// Setup DB-ESDK
-	if err := benchmark.setupDBESDK(); err != nil {
+	if err := benchmark.setupDBESDK(false); err != nil {
 		return nil, fmt.Errorf("failed to setup DB-ESDK: %w", err)
 	}
 
@@ -95,35 +98,7 @@ func (b *DBESDKBenchmark) setupMPL() error {
 }
 
 // setupDBESDK initializes the DynamoDB client with DB-ESDK middleware and creates a default keyring which is AES keyring
-func (b *DBESDKBenchmark) setupDBESDK() error {
-	ddbTableName := b.Config.TableName
-
-	// Initialize the material providers client
-	matProvConfig := mpltypes.MaterialProvidersConfig{}
-	matProv, err := mplsmithygenerated.NewClient(matProvConfig)
-	if err != nil {
-		return fmt.Errorf("failed to create material providers client: %w", err)
-	}
-
-	// Create default AES-256 keyring
-	key := make([]byte, 32) // 256-bit key
-	if _, err := rand.Read(key); err != nil {
-		return fmt.Errorf("failed to generate AES-256 key: %w", err)
-	}
-
-	keyringInput := mpltypes.CreateRawAesKeyringInput{
-		KeyName:      "test-aes-256-key",
-		KeyNamespace: "DB-ESDK-performance-test",
-		WrappingKey:  key,
-		WrappingAlg:  mpltypes.AesWrappingAlgAlgAes256GcmIv12Tag16,
-	}
-
-	keyring, err := matProv.CreateRawAesKeyring(context.Background(), keyringInput)
-	if err != nil {
-		return fmt.Errorf("failed to create keyring: %w", err)
-	}
-	b.Keyring = keyring
-
+func (b *DBESDKBenchmark) setupDBESDK(useItemEncryptor bool) error {
 	attributeActions := map[string]dbesdkstructuredencryptiontypes.CryptoAction{
 		"partition_key": dbesdkstructuredencryptiontypes.CryptoActionSignOnly,
 		"sort_key":      dbesdkstructuredencryptiontypes.CryptoActionSignOnly,
@@ -137,22 +112,41 @@ func (b *DBESDKBenchmark) setupDBESDK() error {
 	partitionKey := "partition_key"
 	sortKeyName := "sort_key"
 	algorithmSuiteID := mpltypes.DBEAlgorithmSuiteIdAlgAes256GcmHkdfSha512CommitKeyEcdsaP384SymsigHmacSha384
+
+	err := b.setupItemEncryptorClient(partitionKey, sortKeyName, allowedUnsignedAttributePrefix, algorithmSuiteID, attributeActions)
+	if err != nil {
+		return err
+	}
+
+	err = b.SetupDDB(partitionKey, sortKeyName, allowedUnsignedAttributePrefix, algorithmSuiteID, attributeActions)
+	if err != nil {
+		return err
+	}
+
+	log.Println("ESDK client initialized successfully")
+	return nil
+}
+
+func (b *DBESDKBenchmark) SetupDDB(partitionKey, sortKeyName, allowedUnsignedAttributePrefix string, algorithmSuiteID mpltypes.DBEAlgorithmSuiteId, attributeActions map[string]dbesdkstructuredencryptiontypes.CryptoAction) error {
 	tableConfig := dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig{
-		LogicalTableName:               ddbTableName,
+		LogicalTableName:               b.Config.TableName,
 		PartitionKeyName:               partitionKey,
 		SortKeyName:                    &sortKeyName,
 		AttributeActionsOnEncrypt:      attributeActions,
-		Keyring:                        keyring,
+		Keyring:                        b.Keyring,
 		AllowedUnsignedAttributePrefix: &allowedUnsignedAttributePrefix,
 		AlgorithmSuiteId:               &algorithmSuiteID,
 	}
 	tableConfigsMap := make(map[string]dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig)
-	tableConfigsMap[ddbTableName] = tableConfig
+	tableConfigsMap[b.Config.TableName] = tableConfig
 	listOfTableConfigs := dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig{
 		TableEncryptionConfigs: tableConfigsMap,
 	}
 
 	cfg, err := config.LoadDefaultConfig(context.TODO())
+	if err != nil {
+		return fmt.Errorf("failed to load default config: %w", err)
+	}
 
 	dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs)
 	ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware(), func(o *dynamodb.Options) {
@@ -161,7 +155,24 @@ func (b *DBESDKBenchmark) setupDBESDK() error {
 
 	b.DbesdkClient = ddb
 
-	log.Println("ESDK client initialized successfully")
+	return nil
+}
+
+func (b *DBESDKBenchmark) setupItemEncryptorClient(partitionKey, sortKeyName, allowedUnsignedAttributePrefix string, algorithmSuiteID mpltypes.DBEAlgorithmSuiteId, attributeActions map[string]dbesdkstructuredencryptiontypes.CryptoAction) error {
+	itemEncryptorConfig := dbesdkitemencryptortypes.DynamoDbItemEncryptorConfig{
+		LogicalTableName:               b.Config.TableName,
+		PartitionKeyName:               partitionKey,
+		SortKeyName:                    &sortKeyName,
+		AttributeActionsOnEncrypt:      attributeActions,
+		Keyring:                        b.Keyring,
+		AllowedUnsignedAttributePrefix: &allowedUnsignedAttributePrefix,
+		AlgorithmSuiteId:               &algorithmSuiteID,
+	}
+	itemEncryptorClient, err := itemencryptor.NewClient(itemEncryptorConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create item encryptor client: %w", err)
+	}
+	b.ItemEncryptorClient = itemEncryptorClient
 	return nil
 }
 

db-esdk-performance-testing/benchmarks/go/benchmark/testRunners.go

@@ -133,7 +133,7 @@ func (b *DBESDKBenchmark) runMemoryTest(dataSize int) (*BenchmarkResult, error)
 
 		// Run operation
 		operationStart := time.Now()
-		_, _, err := b.runBatchPutGetCycle(data)
+		_, _, err := b.runItemEncryptorCycle(data)
 		operationDuration := time.Since(operationStart)
 
 		close(stopSampling)
@@ -229,7 +229,7 @@ func (b *DBESDKBenchmark) runConcurrentTest(dataSize int, concurrency int, itera
 			var workerTimes []float64
 			for j := 0; j < iterationsPerWorker; j++ {
 				iterStart := time.Now()
-				_, _, err := b.runBatchPutGetCycle(data)
+				_, _, err := b.runItemEncryptorCycle(data)
 				if err != nil {
 					errorChan <- fmt.Errorf("worker %d iteration %d failed: %w", workerID, j, err)
 					return
@@ -291,7 +291,7 @@ func (b *DBESDKBenchmark) runThroughputTest(dataSize int, iterations int) (*Benc
 
 	// Warmup
 	for i := 0; i < b.Config.Iterations.Warmup; i++ {
-		if _, _, err := b.runBatchPutGetCycle(testData); err != nil {
+		if _, _, err := b.runItemEncryptorCycle(testData); err != nil {
 			return nil, fmt.Errorf("warmup iteration %d failed: %w", i, err)
 		}
 	}
@@ -309,7 +309,7 @@ func (b *DBESDKBenchmark) runThroughputTest(dataSize int, iterations int) (*Benc
 	startTime := time.Now()
 	for i := 0; i < iterations; i++ {
 		iterationStart := time.Now()
-		putMs, getMs, err := b.runBatchPutGetCycle(testData)
+		putMs, getMs, err := b.runItemEncryptorCycle(testData)
 		if err != nil {
 			return nil, fmt.Errorf("measurement iteration %d failed: %w", i, err)
 		}

db-esdk-performance-testing/config/test-scenarios.yaml

@@ -9,7 +9,7 @@ data_sizes:
     - 10240 # 10KB
   medium:
     - 102400 # 100KB
-    - 400000 # 400KB
+    - 40000000 # 40MB
 
 # Quick test configuration (reduced test set for faster execution)
 quick_config: