CMM cache policy on encryption and decryption DEKs #2177
Description
Problem:
While profiling an application I could find latency spikes, relate to decryption
If an application is regularly using a DEK for decryption, it can expire due to its TTL
As I read the code the TTL is set when the key is created. Is seems sensible that the key would expire when not used, but if used frequently why should it expire?
as ajewellamz poned our when I raised this in the wrong project -aws/aws-encryption-sdk#841 aws/aws-encryption-sdk#841 (comment) it is also experied to ensure correctness, and that the application has access to decrypt
We may have several thousand decryption DEKs in the cache, and regularly in use, and then we see a spike of a many decryption DEKs being regenerated, because they have expired due to TTL, which causes application latency (and some cost)
We have implemented a mechanism to rotate encryption DEKs as we know the limited set of keys in use. Effectively just regenerate the key 10 second before it would expire, but his path doesn't block encryption calls as it doesn't evict from the cache, it just replaces the entry when regenerated - aws/aws-encryption-sdk#840
Solution:
I think there could be some option to refresh the DEKs before they expire, to keep DEKs that are in use (within some time window), without DEK access causing latency to the calling app
We have some code in our project that does this for the encryption DEKs, which we could export to this library if its useful to others, which I imagine it would be