ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikita Amelchev <nsamelc...@gmail.com>
Subject Re: TDE Master key rotation (Phase-2)
Date Fri, 20 Sep 2019 10:39:41 GMT
Nikolay,

because I suggested the implementation where the encryption manager is
responsible for storing the master key id.
To implement this logic in the EncryptionSpi, we will need to
introduce the methods look like this:

setMasterKeyId(String masterKeyId) // Sets "current" master key id
String getMasterKeyId() // Gets "current" master key id

Follow methods will work with master key that setted by previous method:

byte[] masterKeyDigest()
byte[] encryptKey(Serializable key)
Serializable decryptKey(byte[] key)

If such implementation is more reasonable, I will do so.

пт, 20 сент. 2019 г. в 13:04, Nikolay Izhikov <nizhikov@apache.org>:
>
> Why do we need "defaultMasterKeyId" instead of *current* master key id that can be obtained
with `KeystoreEncryptionSpi#getMasterKeyName()`?
>
> В Пт, 20/09/2019 в 12:56 +0300, Nikita Amelchev пишет:
> > Nikolay,
> >
> > Thanks for the proposal, I like it.
> >
> > The GridEncryptionManager will control the process of master key
> > rotation, so we should provide him master key id at startup. Seems we
> > should get it from some configuration for encryption.
> >
> > I suggest just adding the String defaultMasterKeyId() method into the
> > EncryptionSpi interface. This method gets default master key id used
> > on first cluster start.
> >
> > The specific implementation will be responsible for setting this value.
> >
> > What do you think?
> >
> > пт, 20 сент. 2019 г. в 10:44, Nikolay Izhikov <nizhikov@apache.org>:
> > >
> > > Hello, Nikita
> > >
> > > > IgniteConfiguration: New methods will be added to the IgniteConfiguration:
> > > > public IgniteConfiguration setEncryptionMasterKeyId(String masterKeyId)
- sets master key id.
> > > > public String getEncryptionMasterKeyId()
> > >
> > > We don't need it in the IgniteConfiguration.
> > >
> > > As you may know, we already have KeystoreEncryptionSpi#setMasterKeyName.
> > > Seems, we should add it to the EncryptionSpi itself.
> > >
> > >
> > > В Ср, 18/09/2019 в 22:25 +0300, Nikita Amelchev пишет:
> > > > Nikolay, thanks for participating.
> > > >
> > > > I have supplemented the design and clarify these moments. [1]
> > > >
> > > > [1] https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652381
> > > >
> > > > ср, 18 сент. 2019 г. в 16:48, Nikolay Izhikov <nizhikov@apache.org>:
> > > > >
> > > > > Hello, Nikita.
> > > > >
> > > > > Thanks for starting this discussion.
> > > > >
> > > > > 1. We should add prerequisites for "master key rotation process"
in design.
> > > > > Seems, it should be, "New master key available to EncryptionSPI for
each server node".
> > > > >
> > > > > 2. Please, use code formatting in wiki. It's make reading easier.
> > > > >
> > > > > 3. Please, clarify java API proposal. What will be changed and how.
> > > > > AFAIK we need to change EncryptionSPI, this should be covered in
design.
> > > > >
> > > > > 4. Please, clarify new CLI commands.
> > > > > AFAIK we should have 2 command:
> > > > >
> > > > >         1. Start regular master key rotation process.
> > > > >         2. Start local master key rotation process during node recovery(for
the case when key changed while node was down).
> > > > >
> > > > > В Ср, 18/09/2019 в 16:09 +0300, Nikita Amelchev пишет:
> > > > > > Hi, Igniters.
> > > > > >
> > > > > > I'm going to implement the ability to rotate the master encryption
key
> > > > > > (TDE Phase 2). [1]
> > > > > > Master key rotation required in case of it compromising or at
the end
> > > > > > of crypto period(key validity period). I prepared the design.
[2]
> > > > > >
> > > > > > In briefly, master keys will be identified by String masterKeyId.
The
> > > > > > concept of the masterKeyId will be added to the cache keys encryption
> > > > > > process in EncryptionSpi.
> > > > > >
> > > > > > Users can configure master key id in IgniteConfiguration and
will be
> > > > > > able to manage the key rotation process from java API, JMX,
CLI:
> > > > > >  - ignite.encryption().changeMasterKey(String masterKeyId) -
starts
> > > > > > master key rotation process.
> > > > > >  - String ignite.encryption().getMasterKeyId() - gets current
master key id.
> > > > > >
> > > > > > Any thoughts?
> > > > > >
> > > > > > [1] https://issues.apache.org/jira/browse/IGNITE-12186
> > > > > > [2] https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652381
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >



-- 
Best wishes,
Amelchev Nikita

Mime
View raw message