...
- JAVA API:
ignite.encryption().changeMasterKey(String masterKeyId)
- starts master key rotation process.
String ignite.encryption().getMasterKeyId()
- gets current master key id.
- JMX:
changeMasterKey(String masterKeyId)
- starts master key rotation process.
String getMasterKeyId()
- gets current master key id.
- CLI:
# Starts master key rotation.
control.sh --encryption change_master_key newMasterKeyId
# Displays cluster's current master key id.
control.sh --encryption get_master_key
# Starts ignite with MK recovery process. See details.
ignite.sh --change-master-key newMasterKeyId
Process description
- Check that the cluster is active (WAL should be available for a write to correctly log changes and survive cluster restarts). Otherwise, throw an error.
- A node creates the
ChangeMasterKeyMessage
message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key.
- Initiating message should contain:
- New master key id.
- New master key hash.
- When server node processed message following actions are executed:
- It checks that the cluster is active (WAL should be available for a write to correctly log changes and survive cluster restarts). Otherwise, error added to the message.
- It obtain hash of new master key.
- Compares it with the one in message
- If it differs then error added to the message.
- Store locally master key id and hash.
- If on step1 there are some errors we log it and cancel process. Otherwise got to step3.
- The
ChangeMasterKeyFinishMessage
action message is sent by discovery as a custom event.- Action message sould contain:
- New master key id.
- New master key hash.
- When server node processed message following actions are executed:
- Checks that master key id and hash is the same as it was taken from the first message. Otherwice, we log it and cancel process.
- Blocks creation of encrypted cache key.
- Reencrypt all cache group keys with new master key in a temporary datastructure. No changes in MetaStore.
- Create WAL logical record (
ChangeMasterKeyRecord
) that consist of:- New master key id
- Reenctyped cache group keys.
- Write cache group keys to
MetaStore
. - Unblock creation of encrypted cache key.
...
{"serverDuration": 141, "requestCorrelationId": "5dfe44b8b898223a"}