...

Process description 

1. A node creates the the ChangeMasterKeyMessage  message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key. 
   
   1. Initiating message should contain: 
      1. New master key id. 
      2. New master key hash.
   2. When server node processed message following actions are executed: 
      1. It obtain hash of new master key.
      2. Compares it with the one in message
      3. If it differs then error added to the message.
      4. Store locally master key id and hash.
2. If on step1 there are some errors we log it and cancel process. Otherwise got to step3.
3. The The ChangeMasterKeyFinishMessage  action message is sent by discovery as a custom event.
   1. Action message sould contain:
      
      1. New master key id.
      2. New master key hash.
   2. When server node processed message following actions are executed: 
      1. Checks that master key id and hash is the same as it was taken from the first message. Otherwice, we log it and cancel process.
      2. Blocks creation of encrypted cache key.
       
      4. Reencrypt all cache group keys with new master key in a temporary datastructure. No changes in MetaStore.
      5. Create WAL logical record (ChangeMasterKeyRecord ) that consist of:
         1. New master key id
         2. Reenctyped cache group keys.
      6. Write cache group keys to MetaStore .
      7. Unblock creation of encrypted cache key. 

...

Process completes when all nodes in cluster will process action message.

Corner cases

Node

...

was down during key rotation

...

. ChangeMasterKeyRecord was not

...

found.

If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key.

...

The node will re-encrypt cache keys with new MK and try to join to cluster.

Node

...

was down during key rotation

...

. ChangeMasterKeyRecord found.

A node should not try to join to the cluster before the process of ChangeMasterKeyRecord. Regardless of whether the key rotation was finished successfully or not, the recovery will be from the record.

1. If during node recovery with logical records we found ChangeMasterKeyRecord  it passed to EncryptionManager .
2. When MetaStore becomes available for write, EncryptionManager  writes new cache group keys to it.

...

Meta storage will store master key id. Key id from meta storage has a higher priority to key id from EncryptionSpi.

Node attribute

Currently joining node send hash MK for validation in attributes. Attributes can't be modified at runtime. So joining node will send hash MK in JoiningNodeDiscoveryData .