Skip to content

Performance | Use lower-allocation AlwaysEncrypted primitives #3612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 1, 2025
Merged

Performance | Use lower-allocation AlwaysEncrypted primitives #3612

merged 8 commits into from
Oct 1, 2025

Conversation

edwardneal
Copy link
Contributor

Description

This builds on #3554, using the lower-allocation AE primitives in SqlColumnEncryptionCspProvider and SqlColumnEncryptionCngProvider. Benchmarks for this are located in the original PR.

I'm separating these two changes from SqlColumnEncryptionCertificateStoreProvider due to the latter's size, but it'll be fairly similar once the use of X509Certificate2 has been refactored into an RSA instance. I'll incorporate the feedback from this PR into the second one.

We make some minor code style changes, largely to remove a few Yoda conditions, replace == null with is null comparisons and clean up the comments. Besides this though, almost all of the DecryptColumnEncryptionKey and EncryptColumnEncryptionKey methods are replaced with references to the new AE primitives.

While not the main goal, I also noticed and fixed one case where we were opening a CngKey and never disposing it.

Issues

Builds on #3554.

Testing

Automated tests pass.

I also created an AE-enabled table in SSMS which used a CNG-based master key, and confirmed that I was able to query values from it. This should confirm that data created outside of SqlClient can now be read successfully.

Could someone run CI please?

@edwardneal edwardneal requested a review from a team as a code owner September 11, 2025 22:18
@paulmedynski
Copy link
Contributor

/azp run

@paulmedynski paulmedynski self-assigned this Sep 12, 2025
@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

paulmedynski
paulmedynski requested changes Sep 12, 2025
View reviewed changes
Copy link
Contributor

@paulmedynski paulmedynski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks great. Some comments about [NotNull] and usings.

@edwardneal
Initial code review
3152361 
Simplify CreateRSACngProvider.
Use static CngProvider instances for well-known providers where possible.
paulmedynski
paulmedynski previously approved these changes Sep 12, 2025
View reviewed changes
@paulmedynski
Copy link
Contributor

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@codecov Codecov
Copy link

codecov bot commented Sep 16, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 98.03922% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.14%. Comparing base (cd3dbd1) to head (b09cfea).
⚠️ Report is 35 commits behind head on main.

Files with missing lines Patch % Lines
...qlClient/SqlColumnEncryptionCngProvider.Windows.cs 96.22% 2 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (cd3dbd1) and HEAD (b09cfea). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (cd3dbd1) HEAD (b09cfea)
addons 1 0
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3612      +/-   ##
==========================================
- Coverage   65.48%   60.14%   -5.35%     
==========================================
  Files         275      270       -5     
  Lines       61518    60370    -1148     
==========================================
- Hits        40288    36309    -3979     
- Misses      21230    24061    +2831
Flag Coverage Δ
addons ?
netcore 62.53% <98.03%> (-5.12%) ⬇️
netfx 64.35% <99.00%> (-4.86%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

benrr101
benrr101 requested changes Sep 24, 2025
View reviewed changes
Copy link
Contributor

@benrr101 benrr101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall quite happy with these changes. It'd be nice to consider the questions about nullable strings and the span conversions, but I'm not trying to be too demanding here.

@paulmedynski
Copy link
Contributor

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

benrr101
benrr101 approved these changes Sep 30, 2025
View reviewed changes
Copy link
Contributor

@benrr101 benrr101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get it now - and like Paul said, neato!

@paulmedynski paulmedynski merged commit 66b1fb1 into dotnet:main Oct 1, 2025
236 checks passed
@edwardneal edwardneal deleted the perf/ae-primitives/asymmetric-key-providers branch October 1, 2025 17:30
@edwardneal edwardneal mentioned this pull request Oct 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benrr101 benrr101 benrr101 approved these changes

@paulmedynski paulmedynski paulmedynski approved these changes

Assignees

@paulmedynski paulmedynski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@edwardneal @paulmedynski @benrr101