CryptoMb private key provider

This extension may be referenced by the qualified name envoy.tls.key_providers.cryptomb


This extension is only available in contrib images.


This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.


This extension extends and can be used with the following extension category:


[extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig proto]

A CryptoMbPrivateKeyMethodConfig message specifies how the CryptoMb private key provider is configured. The private key provider provides SIMD processing for RSA sign and decrypt operations (ECDSA signing uses regular BoringSSL functions). The provider works by gathering the operations into a worker-thread specific queue, and processing the queue using ipp-crypto library when the queue is full or when a timer expires.


The following extensions are available in contrib images only:

  "private_key": "{...}",
  "poll_delay": "{...}"

(config.core.v3.DataSource) Private key to use in the private key provider. If set to inline_bytes or inline_string, the value needs to be the private key in PEM format.


(Duration, REQUIRED) How long to wait until the per-thread processing queue should be processed. If the processing queue gets full (eight sign or decrypt requests are received) it is processed immediately. However, if the queue is not filled before the delay has expired, the requests already in the queue are processed, even if the queue is not full. In effect, this value controls the balance between latency and throughput. The duration needs to be set to a non-zero value.