Key rotation required in case of it compromising or at the end of crypto period(key validity period).
Design assumes that administrator will provide ability to get new master key by EncryptionSPI from underlying storage.
To implement ability to rotate master encryption key.
New processes:
Master key rotation.Removal of master key.
Master key rotation recovery start.
New administrator commands:
...
Administrator initiates key rotation via some kind of user interface(CLI, Visor, Web Console, JMX, etc).
...
...
...
Master cache key encrypted with current master key.
...
...
Administrator initiates process completion via interface by using “master key removal” command.
Design assume, administrator will check that all nodes successfully change master key and all required nodes are alive.
Administrator initiates process via some kind of user interface(CLI, Visor, WebConsole, JMX, etc),
Message is sent by discovery.
Message should contain:
New master key hash.
When server node processed message following actions are executed:
...
Received master key hash compared with known master key hash.
Process completes when all nodes in cluster will process action message.
If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key has.
To update this node design introduce master key recovery start option.
Administartor initiates process by providing startup option.
Node should execute following steps before join to the cluster:
...
Master key hashes.
Input: nothing
Output:
List of Tuples3
Node ID
Current key hash
Previous key hash or null.
Cache key hashes.
Input: cache id.
Output:
List of Tuples3
Node ID
Current key hash
Previous key hash or null.