...
String masterKeyId
.New master key should be available to EncryptionSPI for each server node.
...
Users can control the master key rotation process key via some kind of user interface(CLI, JMX, Java API).
ignite.encryption().changeMasterKey(String masterKeyId)
- starts master key rotation process.String ignite.encryption().getMasterKeyId()
- gets current master key id.changeMasterKey(String masterKeyId)
- starts master key rotation process.String getMasterKeyId()
- gets current master key id.control.sh --encryption change_master_key newMasterKeyId
control.sh --encryption get_master_key
ignite.sh --change-master-key newMasterKeyId
...
To update this node user should run ignite with command to change master key before join:
ignite.sh --change-master-key newMasterKeyId
The node will re-encrypt cache keys with new MK and try to join to cluster.
...
New methods will be introduced:
setMasterKeyId(String masterKeyId)
// Sets "current" master key idString getMasterKeyId()
// Gets "current" master key idFollow methods will work with master key that setted by previous method:
byte[] masterKeyDigest()
byte[] encryptKey(Serializable key)
Serializable decryptKey(byte[] key)
This is necessary so that ignite can decrypt cache keys with the old master key and encrypt with the new one.
...
Currently joining node send hash MK for validation in attributes. Attributes can't be modified at runtime. So joining node will send hash MK in JoiningNodeDiscoveryData
.