.. _envoy_v3_api_file_contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto:

CryptoMb private key provider (proto)
=====================================

.. _extension_envoy.tls.key_providers.cryptomb:

This extension has the qualified name ``envoy.tls.key_providers.cryptomb``

.. note::

  This extension is only available in :ref:`contrib <install_contrib>` images.

.. note::
  This extension is functional but has not had substantial production burn time,
  use only with this caveat.

  This extension is intended to be robust against untrusted downstream traffic. It
  assumes that the upstream is trusted.

.. tip::
  This extension extends and can be used with the following extension category:


  - :ref:`envoy.tls.key_providers <extension_category_envoy.tls.key_providers>`









.. _envoy_v3_api_msg_extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig:

extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig
--------------------------------------------------------------------------------


:repo:`[extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig proto] <api/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto#L28>`

A CryptoMbPrivateKeyMethodConfig message specifies how the CryptoMb private
key provider is configured. The private key provider provides ``SIMD``
processing for ECDSA sign operations and RSA sign and decrypt operations.
The provider works by gathering the operations into a worker-thread specific
queue, and processing the queue using ``ipp-crypto`` library when the queue
is full or when a timer expires.


.. _extension_category_envoy.tls.key_providers:

.. tip::


  The following extensions are available in :ref:`contrib <install_contrib>` images only:


  - :ref:`envoy.tls.key_providers.cryptomb <extension_envoy.tls.key_providers.cryptomb>`

  - :ref:`envoy.tls.key_providers.qat <extension_envoy.tls.key_providers.qat>`




.. code-block:: json
  :force:

  {
    "private_key": {...},
    "poll_delay": {...}
  }

.. _envoy_v3_api_field_extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig.private_key:


private_key
  (:ref:`config.core.v3.DataSource <envoy_v3_api_msg_config.core.v3.DataSource>`) Private key to use in the private key provider. If set to inline_bytes or
  inline_string, the value needs to be the private key in PEM format.


.. _envoy_v3_api_field_extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig.poll_delay:


poll_delay
  (`Duration <https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>`_, *REQUIRED*) How long to wait until the per-thread processing queue should be
  processed. If the processing queue gets full (eight sign or decrypt
  requests are received) it is processed immediately. However, if the
  queue is not filled before the delay has expired, the requests
  already in the queue are processed, even if the queue is not full.
  In effect, this value controls the balance between latency and
  throughput. The duration needs to be set to a value greater than or equal to 1 millisecond.