Versions Compared

Old Version 23

changes.mady.by.user Pavel Pereslegin

Saved on

compared with

New Version 24

changes.mady.by.user Pavel Pereslegin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Cache encryption key rotation required in case of it compromising or at the end of crypto period (key validity period). in addition, such feature is required to provide support for encrypt and descrypt existing caches in the future.

Security requirement

Payment card industry data security standard (PCI DSS) requires that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s). An expired key should not be used to encrypt new data, but it can be used for archived data, such keys should be strongly protected (section 3.5 - 3.6) [1].
The maximum recommended key lifetime is 2 years [2], and on average it is supposed to be changed every few months [3].

Key rotation in other systems

Out of the box, Oracle and MySQL do not provide an automatic procedure for rotating tablespace keys, master key rotation is supported [4][5], MS SQL Server provide rotation of database encryption key with background re-encryption of existing data [6]. Currently, TDE is being developed for PostgreSQL, but support for tablespace key rotation is not planned [7].

Overview

Local partition re-encryption strategy is similar to partition snapshotting - create partition snapshot encrypted with the new key and then replace the original partition file with the new one.

...

After changing the encryption key, new WAL records will be encrypted with the new key. However, it must be possible to read older WAL records (at least to support historical rebalance).

For reference documentsFor each cache, instead of a key, it is necessary to keep a history of keys in the form WALPointer -> key
(stored the maximum pointer for which the associated key is applicable).

...

  • Inputcache id. 
  • Output: 
    • List of Tuples6 
      • Node ID 
      • Reencryption process state. 
      • Count of partition to process. 
      • Current partition index. 
      • Current partition id. 
      • Count of processed page in current partition. 

Reference Links

  1. PCI DSS Requirements and Security Assessment Procedures
    https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  2. How Often Do I Need to Rotate Encryption Keys on My SQL Server?
    https://info.townsendsecurity.com/bid/49019/How-Often-Do-I-Need-to-Rotate-Encryption-Keys-on-My-SQL-Server
  3. PCI DSS and key rotations simplified
    https://www.crypteron.com/blog/pci-dss-key-rotations-simplified/
  4. Oracle Transparent Data Encryption FAQ
    https://www.oracle.com/database/technologies/faq-tde.html
  5. InnoDB Data-at-Rest Encryption
    https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html
  6. Transparent Data Encryption in MS SQL Server
    https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
  7. Transparent data encryption feature proposed in pgsql-hackers.
    https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#Key_Rotation

Tickets

Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyIGNITE-12843