Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

tensor_vault Benchmarks

The tensor_vault crate provides AES-256-GCM encrypted secret storage with graph-based access control, permission levels, TTL grants, rate limiting, namespace isolation, audit logging, and secret versioning.

Key Derivation (Argon2id)

OperationTimePeak RAM
argon2id_derivation80 ms~64 MB

Note: Argon2id is intentionally slow to resist brute-force attacks. The 64MB memory cost is configurable via VaultConfig.

Encryption/Decryption (AES-256-GCM)

OperationTimePeak RAM
set_1kb29 us~3 KB
get_1kb24 us~3 KB
set_10kb93 us~25 KB
get_10kb91 us~25 KB

Note: set includes versioning overhead (storing previous version pointers). get includes audit logging.

Access Control (Graph Path Verification)

OperationTimePeak RAM
check_shallow (1 hop)6 us~2 KB
check_deep (10 hops)17 us~3 KB
grant18 us~1 KB
revoke1.07 ms~1 KB

Secret Listing

OperationTimePeak RAM
list_100_secrets291 us~4 KB
list_1000_secrets2.7 ms~40 KB

Note: List includes access control checks and key name decryption for pattern matching.

Analysis

  • Key derivation: Argon2id dominates vault initialization (~80ms). This is by design for security.
  • Access check improved: Path verification is now ~6us for shallow, ~17us for deep (85% faster than before).
  • Versioning overhead: set is ~2x slower due to version tracking (stores pointer array).
  • Audit overhead: Every operation logs to audit store (adds ~5-10us per operation).
  • Revoke performance: ~1ms due to edge deletion, TTL tracker cleanup, and audit logging.
  • List scaling: ~2.7us per secret at 1000 (includes decryption for pattern matching).

Feature Performance Overhead

FeatureOverhead
Permission check~1 us (edge type comparison)
Rate limit check~100 ns (DashMap lookup)
TTL check~50 ns (heap peek)
Audit log write~5 us (tensor store put)
Version tracking~10 us (pointer array update)

Security vs Performance Trade-offs

ConfigurationKey DerivationSecurity
Default (64MB, 3 iter)~80 msHigh
Fast (16MB, 1 iter)~25 msMedium
Paranoid (256MB, 10 iter)~800 msVery High

Recommendations

  • Development: Use Fast configuration for quicker iteration
  • Production: Use Default or Paranoid based on threat model
  • High-throughput: Cache access decisions where possible
  • Audit compliance: Accept ~5us overhead for complete audit trail