Acra is designed to provide optimal security model out of the box, as well as to provide a number of ways for controlling (and sometimes programmatically reconfiguring) some of the security and performance properties.

Strategies for increased security

Wholecell vs Injectedcell

  • Injectedcell (--acrastruct_injectedcell_enable CLI parameter) can be used as a means of security through obscurity: you can hide AcraStruct in a large JPEG picture, and store it, thus increasing the complexity of locating the sensitive data.


  • If you have a lot of resources to run Acra on, or a small number of users, you can map each user to a separate Zone. This will make each user compartmented key-wise.

Strategies for increased performance

Some performance metrics

During the feature freeze of 0.75 and when we were researching insane memory leaks, we did a few performance tests to understand how much performance penalty Acra will impose on the full roundtrip to the app and back. We wrote 10k rows, requested 10k requests:

- read write
without acra 6.263646909 sec 36.397444647 sec
without zone, no encrypted records 21.764239688 sec -
without zone, all encrypted records 34.915005008 sec 70.29645783
with zone, no encrypted records 22.799269264 sec -
with zone, all encrypted records 37.159501001 sec 74.951257645 sec

The goal was to never exceed 10x performance penalty (typical for using interpreted languages with random quality libraries and poor concurrency). Writes are 2x slower, reads are 6 times slower max. It is worth mentioning that compiling Themis while changing the underlying cryptography backend to some more robust implementations of crypto primitives can significantly improve Acra performance.

Wholecell vs Injectedcell

  • Performance-wise, wholecell is much faster than injectedcell because it doesn't require scanning the whole byte stream.
  • If you're using injectedcell mode, you might want to limit the length of your database response - the longer it is, the longer it scans for AcraStruct.


  • The more Zones and Zone keys you've got, the longer it takes to scan through the database response.