You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Pavel Pereslegin (Jira)" <ji...@apache.org> on 2020/07/07 14:53:00 UTC

[jira] [Updated] (IGNITE-12843) TDE Phase-3. Cache key rotation.

     [ https://issues.apache.org/jira/browse/IGNITE-12843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Pavel Pereslegin updated IGNITE-12843:
--------------------------------------
    Description: 
Add the ability to rotate (change) the cache group encryption key.

The design is described here: [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Description]
h3. Additional notes about binary format changes.
h4. PageMetaIO and PagePartitionMetaIO format

Reencryption status requires an additional 8 bytes on the meta page of each partition.
 Index partition uses PageMetaIO to read/write meta information.
 Each other partition uses PagePartitionMetaIO to read/write meta information.

Partition meta starts just after the end of the page meta.
 To store additional 8 bytes partition meta shifted by 8 bytes.

WAL delta records have also been modified to store reencryption status.
h4. Encrypted page format

Each encrypted page has reserved free space to store CRC of encrypted data.
 The size of this free space depends on the size of the encryption block, but cannot be less than 8 bytes (Ignite default encryption implementation (KeystoreEncryptionSpi) uses AES with 16 bytes block size).

Added 1 byte for encryption key ID on each encrypted page (after CRC).
 (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed accordingly)

  was:
Add the ability to rotate (change) the cache group encryption key.

The design is described here: [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Processdescription]
h3. Additional notes about binary format changes.
h4. PageMetaIO and PagePartitionMetaIO format

Reencryption status requires an additional 8 bytes on the meta page of each partition.
 Index partition uses PageMetaIO to read/write meta information.
 Each other partition uses PagePartitionMetaIO to read/write meta information.

Partition meta starts just after the end of the page meta.
 To store additional 8 bytes partition meta shifted by 8 bytes.

WAL delta records have also been modified to store reencryption status.
h4. Encrypted page format

Each encrypted page has reserved free space to store CRC of encrypted data.
 The size of this free space depends on the size of the encryption block, but cannot be less than 8 bytes (Ignite default encryption implementation (KeystoreEncryptionSpi) uses AES with 16 bytes block size).

Added 1 byte for encryption key ID on each encrypted page (after CRC).
 (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed accordingly)


> TDE Phase-3. Cache key rotation.
> --------------------------------
>
>                 Key: IGNITE-12843
>                 URL: https://issues.apache.org/jira/browse/IGNITE-12843
>             Project: Ignite
>          Issue Type: Sub-task
>            Reporter: Pavel Pereslegin
>            Assignee: Pavel Pereslegin
>            Priority: Major
>              Labels: IEP-18
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Add the ability to rotate (change) the cache group encryption key.
> The design is described here: [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Description]
> h3. Additional notes about binary format changes.
> h4. PageMetaIO and PagePartitionMetaIO format
> Reencryption status requires an additional 8 bytes on the meta page of each partition.
>  Index partition uses PageMetaIO to read/write meta information.
>  Each other partition uses PagePartitionMetaIO to read/write meta information.
> Partition meta starts just after the end of the page meta.
>  To store additional 8 bytes partition meta shifted by 8 bytes.
> WAL delta records have also been modified to store reencryption status.
> h4. Encrypted page format
> Each encrypted page has reserved free space to store CRC of encrypted data.
>  The size of this free space depends on the size of the encryption block, but cannot be less than 8 bytes (Ignite default encryption implementation (KeystoreEncryptionSpi) uses AES with 16 bytes block size).
> Added 1 byte for encryption key ID on each encrypted page (after CRC).
>  (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed accordingly)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)