Vault Enterprise Performance Under Load

As organizations increasingly rely on HashiCorp Vault for managing secrets, authentication, and certificate issuance, understanding its performance limits under heavy load becomes critical. Deployments often start small, serving a handful of services, but scale rapidly as more systems integrate with Vault. This growth directly translates to increased concurrency, putting pressure on the underlying storage and replication mechanisms. To identify these breaking points, HashiCorp conducted benchmarks on Vault Enterprise 1.17.3+ent, utilizing a self-managed deployment on AWS with integrated Raft storage.

The testing environment was configured according to a HashiCorp Validated Design, ensuring a robust and representative setup. Load generation was performed using k6, a popular open-source load testing tool. For Key-Value (KV) workloads, the virtual user count ramped up from a single user to 500. For SSH and Public Key Infrastructure (PKI) operations, the load reached approximately 200 to 300 virtual users, depending on the specific operation being tested. The goal was to simulate real-world scaling scenarios and observe where performance degradation or failure occurred.

k6 load testing tool interface showing concurrent user simulation for Vault benchmarks

Key Findings: Reads vs. Writes and Payload Size

The benchmarks revealed several key insights into Vault's performance characteristics at scale. A consistent finding was that read operations significantly outperformed write operations. Reads were approximately 2.3 times faster than writes. This disparity is primarily due to the nature of Raft consensus. Writes require committing data and replicating it across the Raft cluster to ensure consistency and fault tolerance. This process introduces overhead. Reads, on the other hand, do not carry the same replication burden, allowing them to complete much faster. This suggests that applications with a high read-to-write ratio will generally experience better performance from Vault.

Payload size emerged as a more significant factor than initially anticipated. The tests demonstrated that 1 KB reads scaled cleanly up to 500 virtual users without any noticeable saturation. However, as payload sizes increased, performance began to degrade. This indicates that optimizing the size of secrets or data being retrieved from Vault can have a substantial impact on scalability. For instance, retrieving very large secrets or large numbers of small secrets in a single request could become a bottleneck much sooner than expected. This finding is crucial for architects designing systems that interact with Vault, emphasizing the need for efficient data retrieval patterns.

Raft Storage Performance and Bottlenecks

The choice of integrated Raft storage, while providing strong consistency and fault tolerance, also presents specific performance considerations. Raft's consensus mechanism, essential for maintaining data integrity across the cluster, inherently limits write throughput. Each write operation must be proposed, appended to the log, and replicated to a majority of nodes before it can be committed. This process can become a bottleneck when the rate of write operations exceeds the cluster's capacity to reach consensus.

The benchmarks indicated that beyond a certain concurrency level, the Raft commit process becomes the limiting factor. While reads are less affected, the sheer volume of write requests can overwhelm the cluster's ability to process them within acceptable latency bounds. This is particularly relevant for use cases involving frequent secret rotation, dynamic secret generation, or extensive use of Vault's certificate authority (CA) features, all of which can generate a high volume of writes.

Scaling Considerations for Different Workloads

The performance characteristics varied based on the type of workload. KV workloads, which involve simple secret storage and retrieval, showed clear scaling patterns related to reads and writes, as discussed. SSH and PKI workloads, however, involve more complex operations. For example, generating a new SSH certificate or issuing a new server certificate involves cryptographic operations, policy checks, and potentially audit logging, in addition to the underlying Raft writes.

The observed limits of 200-300 VUs for SSH and PKI operations suggest that these more resource-intensive tasks hit their performance ceiling sooner than simpler KV operations. This is because the total time to complete an operation includes not only the Raft consensus time but also the time spent on application-level logic and cryptographic processing. Therefore, organizations heavily reliant on dynamic secret generation or frequent certificate issuance must pay close attention to the overall throughput and latency of these specific operations when planning their Vault deployment size and configuration.

Implications for Vault Operators

The benchmark results provide actionable intelligence for Vault administrators and SREs. Firstly, optimizing read operations and minimizing payload sizes are paramount for achieving high throughput. Developers should consider fetching only necessary secret fields and batching requests where appropriate, though excessive batching could also introduce latency if not managed carefully. For write-heavy workloads, understanding the Raft commit limits is essential. This might involve scaling the Raft cluster (adding more nodes, ensuring adequate network bandwidth and low latency between nodes) or, in extreme cases, re-evaluating the frequency of write operations.

The tests were performed on Vault Enterprise 1.17.3+ent with integrated Raft. While these results offer a strong indication of performance characteristics, actual performance will vary based on specific cloud provider configurations, network conditions, instance types, and the exact nature of the workload. It is always recommended to conduct tailored performance tests within your own environment to validate these findings and tune your Vault deployment accordingly. The surprising detail here is not just that reads are faster, but how significantly payload size impacts scalability even for read-heavy operations.

Future Directions and Unanswered Questions

While these benchmarks provide a valuable snapshot, they also open avenues for further investigation. What happens when external systems, such as network hardware or cloud provider APIs, become the bottleneck rather than Vault itself? How does performance change when using different storage backends or replication strategies, such as external Raft or other high-availability modes? Furthermore, the impact of security configurations, like extensive audit logging or complex dynamic secret generation policies, on performance at extreme scale remains an area ripe for deeper exploration. Understanding these nuances will be key for organizations pushing the boundaries of Vault adoption.