...

If a node crashes during the replacement of the partitions, the original backup copies of the partitions are restored when the node starts.
If major topology changes during key rotation - cancelling whole procedure.
Minor topology changes should not affect re-encryption procedure.
If the partition is scheduled for eviction during re-encryption, cancel the re-encryption of this partition.

Process management

// TBD

Public API changes

IgniteEncryption

...

public IgniteFuture<Void> changeGroupKey(Collection<Integer> groups) throws IgniteCheckedException;

// TBD

Monitoring

Re-encryption process state. 

• Input: cache id. 
• Output: 
  • List of Tuples6 
    • Node ID 
    • Reencryption process state. 
    • Count of partition to process. 
    • Current partition index. 
    • Current partition id. 
    • Count of processed page in current partition. 

// TBD

Reference Links

1. PCI DSS Requirements and Security Assessment Procedures
   https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
2. How Often Do I Need to Rotate Encryption Keys on My SQL Server?
   https://info.townsendsecurity.com/bid/49019/How-Often-Do-I-Need-to-Rotate-Encryption-Keys-on-My-SQL-Server
3. PCI DSS and key rotations simplified
   https://www.crypteron.com/blog/pci-dss-key-rotations-simplified/
4. Transparent Data Encryption in MS SQL Server
   https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
5. Oracle Transparent Data Encryption FAQ
   https://www.oracle.com/database/technologies/faq-tde.html
6. InnoDB Data-at-Rest Encryption
   https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html
7. Transparent data encryption feature proposed in pgsql-hackers.
   https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#Key_Rotation

...