[Opendnssec-develop] SoftHSM performance

Roland van Rijswijk - Deij Roland.vanRijswijk at surfnet.nl
Tue Nov 6 12:48:37 UTC 2012


Hi,

On 25 okt. 2012, at 16:11, Rickard Bellgrim <rickard at opendnssec.org> wrote:

> I have compared the performance between SoftHSMv1 and SoftHSMv2
> (OpenSSL and Botan).
> 
> SoftHSMv2 OpenSSL:
> ods-hsmspeed -r SoftHSM -i 50000 -s 1024 -t 1
> 1032.66 sig/s
> 
> SoftHSMv2 Botan:
> ods-hsmspeed -r SoftHSM -i 10000 -s 1024 -t 1
> 236.15 sig/s
> 
> SoftHSMv1:
> ods-hsmspeed -r SoftHSM -i 50000 -s 1024 -t 1
> 1376.68 sig/s
> 
> SoftHSMv2 is currently having some threading issues. Thus not possible
> to do multi-threaded tests.
> 
> The negative with Botan is the overhead when e.g. creating the RSA C++
> object. SoftHSMv1 utilizes an object cache, so that the Botan key
> objects does not need to be recreated all of the time. Is that
> something we want for SoftHSMv2? E.g. an 1-key cache?


To add to that: I would generally expect SoftHSM v2 to perform at about the same level or a little worse than SoftHSM v1. A reason for it performing a bit worse is that SoftHSM v2 keeps all sensitive data encrypted in memory and does "just-in-time" decryption to minimise the time that sensitive data is in memory in the clear. The implementation of that is quite strict, if speed is an absolute requirement we could consider adding a configure-time option for disabling the in-memory encryption (but that would sort-of defy the purpose of SoftHSM v2).

Cheers,

Roland

-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surfnet.nl/en/
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl




More information about the Opendnssec-develop mailing list