Versions Compared

Old Version 27

changes.mady.by.user Pavel Pereslegin

Saved on

compared with

New Version 28

changes.mady.by.user Pavel Pereslegin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

MS SQL Server provide rotation of database encryption key with background re-encryption of existing data [4]. Oracle and MySQL, out of the box, do not provide an automatic procedure for rotating tablespace keys, master key rotation is supported [5][6], Currently, TDE is being developed for PostgreSQL, but support for tablespace key rotation is not planned [7].

Overview

...

Partition re-encryption strategies

At the moment, encryption occurs at the pagememory level, when a page is written to the filepagestore or WAL.

Copy with re-encryption.

This strategy is similar to partition partition snapshotting - create partition snapshot encrypted with the new key and then replace the original partition file with the new one.

In-place re-encryption

Sequentially read all the pages from the datastore and mark them as dirty, log them into WAL. Checkpointer writes the pages encrypted with the new key.

This strategy requires changing the format of the encryption page to store the identifier (number) of the encryption key.

Comparison


Copy with re-encryption design.

Cluster-wide process consists of the following steps:

...

  1. Acquire checkpoint lock.
  2. Swap all partition files:
    1. Backup original file.
    2. Move re-encrypted file to the place of the original one.
  3. Change encryption key(s) in metastore (update encryption keys history - add new key and set current WAL pointer to previous key).
  4. Cancel checkpoint updates for copied partitions.
  5. Release checkpoint lock.
  6. Force checkpoint
  7. Remove partition backups (2a).

WAL

After changing the encryption key, new WAL records will be encrypted with the new key. However, it must be possible to read older WAL records (at least to support historical rebalance).

...

When removing a WAL segment to which WALPointer(s) refers - key(s) should be also removed.
When the WAL is cleared, respectively, the key history must also be cleared (except the last one).

Recovery

The re-encryption procedure does not start if there are LOST partitions in the cache group or any baseline node is missing (this is a limitation of the initial design and should be improved in the future).
The cache stop operation is rejected, for cache groups in which re-encryption is performed.

...