...
- Background re-encryption may affect performance. Performance impact can be managed using the following configuration options:
- reencryptionBatchSize - number of pages that are scanned during re-encryption under checkpoint lock.
- reencryptionRateLimit - page scanning speed limit in megabytes per second.
reencryptionThreadCnt - number of threads used for re-encryption(?).
- The WAL history can be not enough to store all entries between checkpoints (this should be carefully tuned by properly setting the size of the WAL history and tuning the re-encryption performance).
- The WAL history (for delta rebalancing) may be lost for all cache groups due to background re-encryption.
Public API changes
IgniteEncryption
New method will be introduced
public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGroupNames)
Metrics
Re-encryption process state in CacheGroupMetrics
- ReencryptionPagesLeft - (long) Total pages left for reencryption.
- ReencryptionFinished - (boolean) Indicates whether re-encryption is finished or not (it will set to true only when a checkpoint is finished).
Process management
The following commands should be added to the control.sh utility:
...
Code Block |
---|
language | text |
---|
title | command output |
---|
|
Node acb45f4b-9f3c-47ea-816b-548995400000: reencryption rate is limited to 0.01 MB/s.
Node 107f080d-2dc5-4629-95a0-048090a00001: reencryption rate is limited to 0.01 MB/s. |
Public API changes
IgniteEncryption
New method will be introduced
public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGroupNames)
Metrics
Re-encryption process state in CacheGroupMetrics
...
Reference Links
- PCI DSS Requirements and Security Assessment Procedures
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - How Often Do I Need to Rotate Encryption Keys on My SQL Server?
https://info.townsendsecurity.com/bid/49019/How-Often-Do-I-Need-to-Rotate-Encryption-Keys-on-My-SQL-Server - PCI DSS and key rotations simplified
https://www.crypteron.com/blog/pci-dss-key-rotations-simplified/ - Transparent Data Encryption in MS SQL Server
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15 - Oracle Transparent Data Encryption FAQ
https://www.oracle.com/database/technologies/faq-tde.html - InnoDB Data-at-Rest Encryption
https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html - Transparent data encryption feature proposed in pgsql-hackers.
https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#Key_Rotation
...