Versions Compared

Old Version 100

changes.mady.by.user Pavel Pereslegin

Saved on

compared with

New Version Current

changes.mady.by.user Pavel Pereslegin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To support binary compatibility and keep code clean we creating a new successor of PageMetaIO - PageIndexMetaIO  PageMetaIOV2 with the new same type T_INDEX_META.

We converting all existing T_META pages into T_INDEX_METAa new version.

We storing additional 8 bytes at the end of each T_INDEX_META and T_PART_META memory pages.

draw.io Diagram
bordertrue
diagramNamePagePartMetaModV2
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth442441
revision45

draw.io Diagram
bordertrue
diagramNamePageIndexMetaModV2
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth611
revision5

...

  • Background re-encryption may affect performance. Performance impact can be managed using the following configuration options:
    1. reencryptionBatchSize - number of pages that are scanned during re-encryption under checkpoint lock.
    2. reencryptionRateLimit - page scanning speed limit in megabytes per second.
    3. reencryptionThreadCnt - number of threads used for re-encryption(?).
  • The WAL history can be not enough to store all entries between checkpoints (this should be carefully tuned by properly setting the size of the WAL history and tuning the re-encryption performance).
  • The WAL history (for delta rebalancing) may be lost for all cache groups due to background re-encryption.

Public API changes

IgniteEncryption

New method will be introduced

public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGroupNames)

Metrics

Re-encryption process state in CacheGroupMetrics

  • ReencryptionPagesLeft - (long) Total pages left for reencryption.
  • ReencryptionFinished - (boolean) Indicates whether re-encryption is finished or not (it will set to true only when a checkpoint is finished).

Process management

The following commands should be added to the control.sh utility:

Rotate encryption key.

Code Block
languagetext
titlecommand syntax
control.(sh|bat) --encryption change_cache_key cacheGroupName --yes


Code Block
languagetext
titlecommand output
The encryption key has been changed for cache group "default".

...

Code Block
titlecommand syntax
control.(sh|bat) --encryption cache_key_ids cacheGroupName


Code Block
languagetext
titlecommand output
Encryption key identifiers for cache: default
  Node: d8a5a9bb6085d500-057e2736-41dd4c1f-9a50b47c-0a6fd8000001444cf0a00000:
    1 (active)
    0
  Node: 60bcdb65d98654c0-27156dfb-4a744996-8e93993e-c6b8cdf00000387156300001:
    1 (active)
    0

View cache group re-encryption status.

Code Block
languagetext
titlecommand syntax
control.(sh|bat) --encryption cache_groupreencryption_encryption_status cacheGroupName


Code Block
languagetext
titlecommand output
Encryption status for cache group: default
  Node: 7518757e4ed26231-7a8cf92d-4abb4b1c-bbfd86ba-d824387000007a117c200001:
    1552 KB left=387 total=389 (memory pages), completed=0.5%of data left for re-encryption
  Node: 329808a889a456e5-300359c5-46614f13-ae45a75b-0c3d2370000139ab25000000:
     left=387 total=389 (memory pages), completed=0.5%

...

1552 KB of data left for re-encryption

Suspend cache group re-encryption.

Code Block
languagetext
titlecommand syntax
control.(sh|bat) --encryption stopsuspend_reencryption cacheGroupName


Code Block
languagetext
titlecommand output
  Node 53401f0dad1328e7-b9b811e0-48ff4ecb-a9b78ef2-40f091800000066519e00001:
    re-encryption of the cache group "default" has been stoppedsuspended.
  Node d81b23a82a9e291f-4988e2d1-433446e3-a1319954-11e1cd70000118deb0e00000:
    re-encryption of the cache group "default" has been stoppedsuspended.

...

Resume cache group re-encryption.

Code Block
languagetext
titlecommand syntax
control.(sh|bat) --encryption startresume_reencryption cacheGroupName


Code Block
languagetext
titlecommand output
  Node 5debe2e92ed43509-fad9caab-48cb48dc-934aa27d-3260c36000003be65d800000:
    re-encryption of the cache group "default" has been startedresumed.
  Node de3b4dbdb52d6451-b01ea948-447248d5-aa31b79a-39554c600001411956700001:
    re-encryption of the cache group "default" has been startedresumed.

View/change re-encryption rate limit.

Code Block
languagetext
titlecommand syntax
control.(sh|bat) --encryption reencryption_rate [limit]

Parameters:
    limit  - decimal value to change rate limit (MB/s)


Code Block
languagetext
titlecommand output
  Node acb45f4b15cb8485-9f3c0c09-47ea4361-816bb267-548995400000107d38400000: reencryption
    re-encryption rate ishas been limited to 0.01 MB/s.
  Node 107f080d909ed414-2dc522e6-4629477b-95a0b2ca-048090a00001d1934cd00001: reencryption
    re-encryption rate has isbeen limited to 0.01 MB/s.

Public API changes

IgniteEncryption

New method will be introduced

public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGroupNames)

Metrics

Re-encryption process state in CacheGroupMetrics

...

.

Reference Links

  1. PCI DSS Requirements and Security Assessment Procedures
    https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  2. How Often Do I Need to Rotate Encryption Keys on My SQL Server?
    https://info.townsendsecurity.com/bid/49019/How-Often-Do-I-Need-to-Rotate-Encryption-Keys-on-My-SQL-Server
  3. PCI DSS and key rotations simplified
    https://www.crypteron.com/blog/pci-dss-key-rotations-simplified/
  4. Transparent Data Encryption in MS SQL Server
    https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
  5. Oracle Transparent Data Encryption FAQ
    https://www.oracle.com/database/technologies/faq-tde.html
  6. InnoDB Data-at-Rest Encryption
    https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html
  7. Transparent data encryption feature proposed in pgsql-hackers.
    https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#Key_Rotation

...