Client Encryption: Adds design for reducing encryption path contention.#5626
Open
Client Encryption: Adds design for reducing encryption path contention.#5626
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
|
If this isn't dead, probably time to fill in the overview? |
…tps://github.com/Azure/azure-cosmos-dotnet-v3 into users/jeet1995/reduce-encryption-path-contention
jeet1995
changed the title
Member
Author
|
@bartelink - thanks! I've filled in the PR description (starting this out to document a design) - we'll see if this PR evolves to include code changes (so will keep this PR in a draft state). |
yash2710
reviewed
Mar 9, 2026
jeet1995
commented
Mar 11, 2026
jeet1995
commented
Mar 11, 2026
jeet1995
commented
Mar 11, 2026
jeet1995
commented
Mar 11, 2026
jeet1995
commented
Mar 11, 2026
jeet1995
commented
Mar 11, 2026
yash2710
requested review from
FabianMeiswinkel,
Pilchie,
kirankumarkolli and
sboshra
as code owners
|
Azure Pipelines: Successfully started running 1 pipeline(s). |
|
Azure Pipelines: Successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Parent Issue: #5641
Design-only PR — no code changes. Adds OpenSpec artifacts (proposal, design, specs, tasks) for reducing contention in the client-side encryption path.
Problem:
OperationCanceledExceptionunder concurrent load due to a globalSemaphoreSlim(1,1)inBuildProtectedDataEncryptionKeyAsync. The semaphore guards MDE'sProtectedDataEncryptionKey.GetOrCreate, which on cache miss triggers two synchronous Key Vault HTTP calls (Resolve + UnwrapKey). Every encrypted property in every document contends on this single-permit lock.Proposed fix (3 capabilities, all gated behind opt-in env var):
ResolveAsync()+UnwrapKeyAsync()outside the semaphore; syncUnwrapKeyinside becomes a cache read (microseconds vs. 200ms–2.4s)IKeyEncryptionKeyper CMK URL so each refresh makes 1 AKV call instead of 2No public API changes. No breaking changes. Env var
AZURE_COSMOS_ENCRYPTION_OPTIMISTIC_DECRYPTION_ENABLED(off by default).See
openspec/changes/reduce-encryption-contention/for full proposal, design decisions, specs, and implementation tasks.Type of change