From commits-return-205174-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org Tue Jan 9 14:07:11 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id A5160180718 for ; Tue, 9 Jan 2018 14:07:11 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 9526D160C2D; Tue, 9 Jan 2018 13:07:11 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DAD23160C13 for ; Tue, 9 Jan 2018 14:07:10 +0100 (CET) Received: (qmail 44480 invoked by uid 500); 9 Jan 2018 13:07:10 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 44469 invoked by uid 99); 9 Jan 2018 13:07:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jan 2018 13:07:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 85D93180160 for ; Tue, 9 Jan 2018 13:07:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -107.911 X-Spam-Level: X-Spam-Status: No, score=-107.911 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id vaxnmSJtAY4F for ; Tue, 9 Jan 2018 13:07:08 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id EF7155F39E for ; Tue, 9 Jan 2018 13:07:07 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 69588E0E91 for ; Tue, 9 Jan 2018 13:07:06 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id E45F6240EA for ; Tue, 9 Jan 2018 13:07:01 +0000 (UTC) Date: Tue, 9 Jan 2018 13:07:01 +0000 (UTC) From: "Stefan Podkowinski (JIRA)" To: commits@cassandra.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CASSANDRA-14107) Introduce simple key alias versioning scheme for TDE MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CASSANDRA-14107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Podkowinski updated CASSANDRA-14107: ------------------------------------------- Description: Handling of encryption keys as introduced in CASSANDRA-9945 takes place by referencing a key alias in either cassandra.yaml, or the header of the (commitlog/hints) file that has been encrypted. Using the alias as literal value will work, but requires some attention when rotating keys. Currently each time a key is rotated (i.e. adding a new key to the keystore while preserving the previous version), the alias in cassandra.yaml has to be update as well and the node needs to be restarted. It would be more convenient to use a symbolic reference instead. My suggestion here would be to use ":latest" for referring to the latest version. In this case Cassandra always picks the key with the highest version in ":". The non-trivial part of this suggestion is how the "latest" key is referenced in the file header. If we use "latest", e.g. for the commit log header, and the key gets rotated, we'd now try do decrypt the file with the new key, instead of the key it has been created with. Therefor we'd have to introduce an extra step that will resolve the canonical version for "latest" and refer to that one during any encrypt operation. was: Handling of encryption keys as introduced in CASSANDRA-9945 takes place by referencing a key alias in either cassandra.yaml, or the header of the (commitlog/hints) file that has been encrypted. Using the alias as literal value will work, but requires some attention when rotating keys. Currently each time a key is rotated (i.e. adding a new key to the keystore while preserving the previous version), the alias in cassandra.yaml has to be update as well and the node needs to be restarted. It would be more convenient to use a symbolic reference instead. My suggestion here would be to use ":last" for referring to the latest version. Omitting the ":" part altogether would have the same effect. In this case Cassandra always picks the latest key when the key cache has been expired. The non-trivial part of this suggestion is how the "latest" key is referenced in the file header. If we use "latest", e.g. for the commit log header, and the key gets rotated, we'd now try do decrypt the file with the new key, instead of the key it has been created with. Therefor we'd have to introduce an extra step that will resolve the canonical version for "latest" and refer to that one during any encrypt operation. > Introduce simple key alias versioning scheme for TDE > ---------------------------------------------------- > > Key: CASSANDRA-14107 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14107 > Project: Cassandra > Issue Type: New Feature > Reporter: Stefan Podkowinski > Assignee: Stefan Podkowinski > Priority: Minor > Labels: encryption > Fix For: 4.x > > > Handling of encryption keys as introduced in CASSANDRA-9945 takes place by referencing a key alias in either cassandra.yaml, or the header of the (commitlog/hints) file that has been encrypted. Using the alias as literal value will work, but requires some attention when rotating keys. > Currently each time a key is rotated (i.e. adding a new key to the keystore while preserving the previous version), the alias in cassandra.yaml has to be update as well and the node needs to be restarted. It would be more convenient to use a symbolic reference instead. My suggestion here would be to use ":latest" for referring to the latest version. In this case Cassandra always picks the key with the highest version in ":". > The non-trivial part of this suggestion is how the "latest" key is referenced in the file header. If we use "latest", e.g. for the commit log header, and the key gets rotated, we'd now try do decrypt the file with the new key, instead of the key it has been created with. Therefor we'd have to introduce an extra step that will resolve the canonical version for "latest" and refer to that one during any encrypt operation. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org For additional commands, e-mail: commits-help@cassandra.apache.org