...
Design assumes that administrator will provide ability to get new master key by EncryptionSPI
from underlying storage.
String masterKeyId
masterKeyName
.New master key should be available to EncryptionSPI
for each server node.
...
ignite.encryption().changeMasterKey(String masterKeyIdmasterKeyName)
- starts master key rotation process.String ignite.encryption().getMasterKeyIdgetMasterKeyName()
- gets current master key idname.changeMasterKey(String masterKeyIdmasterKeyName)
- starts master key rotation process.String getMasterKeyIdgetMasterKeyName()
- gets current master key idname.control.sh --encryption change_master_key newMasterKeyId
newMasterKeyName
control.sh --encryption get_master_key
ignite.sh --change-master-key newMasterKeyId
_name
MasterKeyChangeMessage
message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key. MasterKeyChangeMessage
ack action message is sent by discovery as a custom event.ChangeMasterKeyRecord
) that consist of:MetaStore
....
To update this node user should run ignite with system property (IGNITE_MASTER_KEY_
IDNAME_TO_CHANGE_
ONBEFORE_STARTUP=newMasterKeyId
) or with command to change master key before join:
ignite.sh --change-master-key newMasterKeyId
The node will re-encrypt cache keys with new MK and try to join to cluster.
...
Reject node join. It may lead to inconsistent master keys in cluster. (Or if it possible to delay until key rotation process ends)
...
New methods will be introduced:
setMasterKeyIdsetMasterKeyName(String masterKeyIdmasterKeyName)
// Sets "current" master key idnameString getMasterKeyIdgetMasterKeyName()
// Gets "current" master key idnameFollow methods will work with master key that setted by previous method:
...
Meta storage will store master key idname. Key id name from meta storage has a higher priority to key id name from EncryptionSpi
.
...