Table of Contents |
---|
Cache encryption key rotation required in case of it compromising or at the end of crypto period (key validity period). in addition, such feature is required to provide support for encrypt and descrypt existing caches in the future.
...
copy | in place | |
---|---|---|
The amount of disk input-output | 2x | 2x+ (depends on WAL settings) |
The amount of required disk space | 2x | limited by WAL settings |
Performance(rough estimate) | faster | slower |
Implementation complexity (rough estimate) | ||
Stable topology, read-only | simple | simple |
Online updates | complex | simple |
Unstable topology | complex | simple |
The overall process consists of the following steps
To support multiple keys for reading encrypted data it is required to store key identifier on each encrypted page and on each encrypted WAL record.
Scan all pages from specified range (metapageid + [offset -> total])
Re-encryption progress is stored into metapage (int offset, int total), updates during checkpoint.
Old group key will be removed when
// TBD
// TBD
...