You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Nikolay Izhikov <ni...@apache.org> on 2018/06/09 15:14:58 UTC
IEP-18 TDE: Prototype
Hello, guys.
I've implement prototype of TDE implementation [1]
Vladimir, can you do some prereview of this prototype?
Any feedback on public API or any other part of implementation are welcome.
I have several questions I want to discuss.
1. Right place for a cache(data) key:
Currently, all options that controls data persistence located in DataStorageConfiguration
And TDE design propose to store key for a cache encryption in Cache Metadata.
We can store cache key in Cache Metadata(I already implemented it in prototype).
But, wouldn't it be more convenient to have encrypted DataRegion, so all caches that use encrypted DataRegion will become encrypted?
2. Encryption key for a WAL.
Should we use separate key for a WAL encryption?
If we want to use cache keys for a WAL encryption it adds some difficulties to implement:
1. We should add cacheId for each encrypted record to have possibility to decrypt it.
2. We can't decrypt Wal record if cache was destroyed after record creation.
Thoughts?
Prototype restrictions:
Currently, size of encrypted data should be equal to clear data because FilaPageStore checks it on file validation.
Actually, AES CBC algorithm discussed in IEP adds some extra bytes to encrypted data.
So, I plan to implement possibility to enhance page size on FilePageStore level in a few days.
[1] https://github.com/apache/ignite/pull/4167
Re: IEP-18 TDE: Prototype
Posted by Vladimir Ozerov <vo...@gridgain.com>.
Hi Nikolay,
I'll take a look at the nearest time.
On Sat, Jun 9, 2018 at 6:14 PM, Nikolay Izhikov <ni...@apache.org> wrote:
> Hello, guys.
>
> I've implement prototype of TDE implementation [1]
> Vladimir, can you do some prereview of this prototype?
> Any feedback on public API or any other part of implementation are welcome.
>
> I have several questions I want to discuss.
>
> 1. Right place for a cache(data) key:
>
> Currently, all options that controls data persistence located in
> DataStorageConfiguration
> And TDE design propose to store key for a cache encryption in
> Cache Metadata.
>
> We can store cache key in Cache Metadata(I already implemented it
> in prototype).
> But, wouldn't it be more convenient to have encrypted DataRegion,
> so all caches that use encrypted DataRegion will become encrypted?
>
> 2. Encryption key for a WAL.
>
> Should we use separate key for a WAL encryption?
> If we want to use cache keys for a WAL encryption it adds some
> difficulties to implement:
>
> 1. We should add cacheId for each encrypted record to have
> possibility to decrypt it.
> 2. We can't decrypt Wal record if cache was destroyed
> after record creation.
>
> Thoughts?
>
> Prototype restrictions:
>
> Currently, size of encrypted data should be equal to clear data because
> FilaPageStore checks it on file validation.
> Actually, AES CBC algorithm discussed in IEP adds some extra bytes to
> encrypted data.
> So, I plan to implement possibility to enhance page size on FilePageStore
> level in a few days.
>
> [1] https://github.com/apache/ignite/pull/4167