[help] high latency - encryption during transit - Vault 1.5.2 / K8S 1.18

Vault in HA mode (3 PODs) - v 1.5.2 using DynamoDB (AWS) =*

  • Dynamically configures read/write based on traffic

K8S 1.18 Self-Managed (AWS)

We have noticed a fairly high latency on using encryption in transit - have tried performance test using jmeter towards our backend (which in turns uses Vault for transit/encryption) and results were pretty bad.

Tried single calls using vault CLI and majority was between 1-2 seconds though with few going as far as 5 seconds.

vault write test-transit/encrypt/service plaintext=(base64 <<< “4111 1111 1111 1111”)

Now that it seems isolated to Vault, need some help as to further investigate/find the bottleneck leading to this. thanks /Pedro

Using cloud storage is going to be a massive latency issue, using transit is also a massive latency add-on. Combine them and you’ll get the results you see.

Upgrade to at least 1.7 (1.8 would be better) and use Integrated storage for best results.

One last note: a 3 nodes is not “HA”. That’s just a multi-node cluster. It only matters if you’re talking about OSS vs Enterprise licenses as Enterprise gives you DR cluster/sync.

Thnak you @aram ! appreciated. Indeed, it is multi-node cluster and not HA. What wpuld you suggest us to use as integrated storage?


one challenge would be to migrate from aws/dynamo to an integrated storage as vault is shared across multiple teams/projects though only one currently relies on vault for encryotion during transit. any thoughts/suggestions?thanks

I’m still using 1.6.3 with Consul on the backend but we’re doing high production testing against 1.8 and Integrated Storage. It looks and is responding great, so yes that’s my recommendation.

I’d say reducing integrated storage everyone wins, so I don’t see why not move. There is nothing special about cloud storage so, why not gain the advantage.