Engineering the bare minimum: Fewer steps, faster messages

At LavinMQ, we engineer for the shortest path between data and hardware. In our previous look at the “Bare minimum”, we discussed how we use mmap to bridge the gap between RAM and disk. With the 2.7 release, we are applying that same philosophy to the network layer by introducing support for Kernel TLS (kTLS).

In many applications, encryption is a heavy middleman. To send a secure message, data is copied into a dedicated memory area, encrypted by the application in user space, and then handed over to the kernel for transmission. Each of these steps — the copying, the context switching, and the encryption overhead — creates a performance penalty for the CPU. By moving this process to the kernel using kTLS, we can eliminate the extra handoffs.

Moving encryption to the kernel

Instead of the application doing the heavy lifting, we hand the clear-text data and the encryption key directly to the Linux kernel. By shifting the encryption to the kernel, we achieve a much leaner data path. We eliminate the extra hand-offs between memory buffers, which significantly lowers CPU overhead. The processor spends more time moving messages and less time managing encryption states. This results in zero-copy efficiency and throughput that feels much closer to a plain-text connection.

Performance by design

We didn’t add kTLS just to have another feature. It fits our goal of staying out of the way of the hardware. By stripping away unnecessary steps in the encryption process, we ensure that LavinMQ remains a lightweight, high-performance broker as you scale. Sometimes the best way to move faster isn’t to add more power, but to remove more friction.