...
- JAVA API:
ignite.encryption().changeMasterKey(String masterKeyId) - starts master key rotation process.
String ignite.encryption().getMasterKeyId() - gets current master key id.
- JMX:
changeMasterKey(String masterKeyId) - starts master key rotation process.
String getMasterKeyId() - gets current master key id.
- CLI:
# Starts master key rotation.
./control.sh --encryption change_master_key newMasterKeyId
# Displays cluster's current master key id.
./control.sh --encryption get_master_key
# Starts ignite with MK recovery process. See details.
ignite.sh --change-master-key -before-join newMasterKeyId
Process description
- A node creates the ChangeMasterKeyMessage message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key.
- Initiating message should contain:
- New master key id.
- New master key hash.
- When server node processed message following actions are executed:
- It obtain hash of new master key.
- Compares it with the one in message
- If it differs then error added to the message.
- If on step1 there are some errors we log it and cancel process. Otherwise got to step3.
- The ChangeMasterKeyFinishMessage action message is sent by discovery as a custom event.
- Action message sould contain:
- New master key id.
- When server node processed message following actions are executed:
- Blocks creation of encrypted cache key.
- Reencrypt all cache group keys with new master key in a temporary datastructure. No changes in MetaStore.
- Create WAL logical record (ChangeMasterKeyRecord) that consist of:
- New master key id
- Reenctyped cache group keys.
- Write cache group keys to MetaStore.
- Unblock creation of encrypted cache key.
...
{"serverDuration": 144, "requestCorrelationId": "0fd1c6c9a1947e89"}