Key rotation required in case of it compromising or at the end of crypto period(key validity period).
To implement the ability to rotate cache encryption key.
...
Cache key rotation.
Removal of the cache key.
New administrator commands:
...
Administrator The administratorinitiates the process via some kind of user interface(CLI, Visor, WebConsole, JMX, etc).
New A newkey generated using configured EncryptionSPI.
Message A messagewith the new key (encrypted with the master key) is sent by discovery.
On message receive following actions are executed:
Process state: IN PROGRESS.
New The newkey is saved in to the metastore (WAL record about this event is written to the disk added).
Further WAL records are encrypted with the new key.
Further page are isencrypted with the new key.
Pages reencryption The pagesre-encryptionprocess is initiated.
Process uses it's own ThreadThis procedure usesitsownthread pool.
Thread pool configured in IgniteConfiguration.
For each partition file. File readed
page by The file is read page by page.
For each page (following steps executed by many thread threadsusing a producer-consumer pattern):
Page is blockedlocked from write operation into regular Ignite Durable Memory.
Page is readedread (from file) into memory. Note, this process doesn“tdoesn't use regular Offheap off-heapIgnite pages.
Page decrypted with the previous key.
Page encrypted with the new key.
Page is written into a file.
Page id is added to reencrypted the re-encryptedpages set(Bloom filter as it has constant size).
Page is unblockedunlocked.
Progress of reencryption re-encryptionis saved to WAL for failover after each X pages processed. X is configured in IgniteConfiguration. End of each partition process is saved to WAL.
Сompletion of partition re-encryption is accompanied by adding a WAL entry
Process state: FINISHED.
Motivation:
Memory footprint [Thread count]*[page size]
Minor affect on regular data operations.
Doesn“t It doesn'tdisplace hot pages from RAM during file scan process.
During reencryption the re-encryptionprocess page may be encrypted with the previous key OR with the new key one.
To decrypt page we have to do the following steps:
Block page from reencryptionre-encryption.
Check in reencrypted re-encryptedpages set is this page processed(see «Pages reencryption re-encryptionprocess description» #3.6)
If page not reencrypted yet we use old key for decryption.
If page reported as reencrypted(Bloom filter may be false positive) we:
Try to decrypt page with new key.
If fail we should try to use old key.
Unblock page from reencryption.
If the node fails in the middle of reencryption the re-encryptionprocess we should resume reencryption the re-encryptionprocess on node startstartup.
We should do the following steps for started but not finished partition file:
Find the last progress record in WAL.
Scan partition from the beginning to last progress record point and just add eache page to reencrypted pages set.
After it we have X pages that MAY BE reencrypted(and may be not). We should find fir not reencrypted page:
Trying to decrypt page with new key.
If fails then page is found.
We should continue reencryption process starting from it.
Administrator initiates process completion via interface by using “cache key removal” command.
Design assume, administrator will check that all nodes successfully change cache key and reencrypt all pages and all required nodes are alive.
Administrator initiates process via some kind of user interface(CLI, Visor, WebConsole, JMX, etc).
Message is sent by discovery.
Message should contain:
new cache key hash.
When server node processed message following actions are executed:
Received cache key hash compared with known cache key hash.
Previous cache key removed from MetaStore.