IDIEP-18
AuthorDmitrii Ryabov
Sponsor

Nikolay Izhikov

Anton Vinogradov

Created26 March 2018
Status

ACTIVE


Motivation

Transparent data encryption automatically and silently protects data in rest (persistence). It will allow users to minimize the effort for data protection. TDE should comply with standards like PKCS and PCI DSS, so users will spend less for data protection.

Description

Definitions 

  • CEK – Cache Encryption KeyEncrypts dataencrypted by MEK.

  • MEK – Master Encryption KeyEncrypts CEK. MEK is stored in some key storage.

  • TDE – Transparent Data Encryption 

Configuration 

IgniteConfiguration. EncryptionSpi instnce should be configured to setup 

EncryptionSpi – Spi that provide possibilities:

  1. Obtain master key hash. 

  2. Create new cache key.

  3. Encrypt/decrypt blocks of data

CacheConfiguration:

  1. isEncrypted – flag. If true then cache data must be encrypted. 

Storing and using MEK and CEKs 

Encrypted CEKs are stored in the Meta Store. 
Encrypted MEK is stored in key storage, which has to be accessible from every server node (java.security.KeyStore is good for basic implementation because it complies with PKCS#11 and PKCS#12 [3]). 

  1. MEK and CEKs are stored in encrypted form. 

  2. MEK must be accessible during node start. 

  3. CEKs are decrypted on MetaStore initialization(node start) 

  4. Every encrypted cache must have its own CEK. 

  5. Opened keys must be destroyed when they aren't needed anymore (MEK – when CEKs are encrypted, CEKs - when a node is going down). This requirement came from PCI DSS 3.6.5 [4].

Preparation

  1. An administrator must ensure MEK storage available for all server nodes.

Encryption

When a user makes an operation on secured cache everything goes as usual except 2 moments:

  1. Ignite encrypt pages when saving to Persistence Data Storage.
  2. Ignite encrypt each WAL record that belongs to encrypted cache.

The encryption algorithm implementation is provided by  EncryptionSpi implementation. 

For default implementation(KeystoreEncryptionSpi) it's AES.

 http://apache-ignite-developers.2346864.n4.nabble.com/Transparent-Data-Encryption-TDE-in-Apache-Ignite-td18957.html 

Reference Links

  1. PKCS#11 - http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html

  2. PCI DSS Glossary - https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf

  3. PKCS#12 - https://tools.ietf.org/html/rfc7292

  4. PCI DSS - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

  5. Java Cryptography Architecture - https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html  

Tickets

key summary type created updated due assignee reporter priority status resolution

JQL and issue key arguments for this macro require at least one Jira application link to be configured

  • No labels

Apache Ignite