Data security is always a concern, and using encryption in Amazon RDS is an easy way to increase your level of security. The biggest concern with encryption, however, is that it may negatively impact performance by slowing down write and response times. When addressing this subject for a client we decided to test any potential performance hits that may arise from using encryption on an RDS MySQL instance.
We found that enabling RDS Encryption had a 3% performance penalty.
Sysbench was used for performance comparison so that we could compare the results from this test to other testing that we had done on RDS MySQL. We used the oltp test of Sysbench, with a slight modification to the .lua. This .lua file was used for testing against two clean RDS instances, one encrypted and one not. For testing against an encrypted RDS instance, we had to use a new instance (rather than one restored from snapshot), as Amazon RDS does not allow unencrypted snapshots to be restored to encrypted instances.
First, the test was prepared:
sysbench --test=/usr/share/doc/sysbench/tests/db/oltp_reconnect.lua --mysql-host=rds.host --mysql-user=<user> --mysql-password=<password> --mysql-table-engine=innodb --oltp-table-size=10000000 --max-time=0 --max-requests=0 --mysql-db=sbtest prepare
sysbench --test=/usr/share/doc/sysbench/tests/db/oltp_reconnect.lua --oltp-table-size=10000000 --oltp-test-mode=complex --oltp-read-only=off --num-threads=64 --max-time=600 --max-requests=0 --mysql-db=sbtest --mysql-host=rds.host --mysql-user=<user> --mysql-password=<password> --db-driver=mysql --mysql-port=3306 --oltp-skip-trx=on run
Both tests were run on db.r3.2xlarge instances with 500gb of storage and 5000 PIOPS. The two instances were newly launched, blank instances with only the sbtest db on them, one encrypted and the other not.
The unencrypted instance, as expected, came in the fastest at 6416 writes per second. The encryption only slowed things down by about 3%, at 6222 writes per second.
Average response times showed a similar percentage of performance difference. Unencrypted was again the fastest, with an average response time of 39.9ms. Unencrypted was slightly slower at 41.14ms, only a 3% drop.
Encrypting an Amazon RDS instance appeared to have a negligible impact on performance, only 3% in both of our comparisons shown above. We can safely suggest at this point, for our more security minded clients, that running Amazon RDS in an encrypted mode would be a highly viable choice to improve their data security and integrity.