Table of Contents |
---|
Master keyrotation required in case of it compromising is required if it has beencompromisedor at the end of the crypto period (key validity period).
Design assumes that , an administrator will provide an ability to get a new master key by EncryptionSPI
from underlying storage.
...
New master key should must be available to EncryptionSPI
for each server node. The cluster must be active.
Users can control the master key rotation process key via some kind of user interface(CLI, JMX, Java API, etc).
ignite.encryption().changeMasterKey(String
masterKeyIdmasterKeyName)
- starts master key rotation process.String ignite.encryption().
getMasterKeyIdgetMasterKeyName()
- gets current master key idname.changeMasterKey(String
masterKeyIdmasterKeyName)
- starts master key rotation process.String
getMasterKeyIdgetMasterKeyName()
- gets current master key idname.control.sh --encryption change_master_key
newMasterKeyIdnewMasterKeyName
control.sh --encryption get_master_key_name
...
Master key change process consist of two phases:
Each phase is a distributed process.
The goal is to verify that all server nodes have the same master key.
...
The server node begins prepare phase with the MasterKeyChangeRequest
that contains:
Each server node executes the following actions:
Obtains a digest of a
node processed message following actions are executed: It obtain hash ofnew master key. If the digest is unavailable, the process completes with an error.
The coordinator starts the perform phase when the prepare phase is completed without errors.
The coordinator node starts the prepare phase with the MasterKeyChangeRequest
that contains:
Each server node executes the following actions:
ChangeMasterKeyRecord
) that consist of:MetaStore
.Distributed process is a cluster-wide process that accumulates single nodes results to finish itself.
The process consists of the following phases:
InitMessage
sent via discovery.SingleNodeMessage
sent via communication.FullMessage
sent via discovery.Several processes of the same type can be started at the same time.
SingleNodeMessage
with a result will be redirected to the new one).exec
and the finish
actions will be called only ones....
Process The process completes when all nodes in cluster will process action messagethe perform phase completed (all nodes have been re-encrypted their keys).
...
...
If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key has.
To update this node design introduce master key recovery process:user should run Ignite with system property (IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP=newMasterKeyName
)
The node will Option 1 (auto). Cluster send to joining node his master key id. The joining node re-encrypt cache keys with new MK and tries try to join to the cluster.
Option 2 (manual). Administrator change master key id in the configuration. When the node starts it reads master key id from meta storage. If keys differ node will re-encrypt cache keys and tries to join to cluster.
A node should not try to join to the cluster before the process of ChangeMasterKeyRecord
. Regardless of whether the key rotation was finished successfully or not, the recovery will be from the record.
ChangeMasterKeyRecord
in the process node recovery it was passed to EncryptionManager
.EncryptionManager
...
Reject node join. It may lead to inconsistent master keys in cluster. (Or if it possible to delay until key rotation process ends)
...
...
Cache keys must not be created during the master key rotation process. So, a node will throw an exception if a user users will start cache during the key rotation process. Moreover, if group keys were generated before the master key was change, starting the cache will be rejected (case of client node starts the cache).
Node will process the critical failure error. Failure handler must stop the node to prevent inconsistent keys in the cluster.
The concept of the masterKeyId will be added to the cache keys encryption process in EncryptionSpi
:
...
New methods
...
byte[] masterKeyDigest();
...
byte[] masterKeyDigest(String masterKeyId);
...
byte[] encryptKey(Serializable key);
...
byte[] encryptKey(Serializable key, String masterKeyId);
will be introduced:
setMasterKeyName(String masterKeyName)
// Sets "current" master key nameString getMasterKeyName()
// Gets "current" master key nameThe following methods will work with master key that was set by previous method:
byte[] masterKeyDigest()
byte[] encryptKey(Serializable key)
Serializable
...
decryptKey(byte[]
...
key)
...
Serializable decryptKey(byte[] key, String masterKeyId);
This is necessary so that Ignite can decrypt cache keys with the old master key and encrypt with the new one.
Meta storage will store name of master key. Key name from meta storage has a higher priority to key name from EncryptionSpi
where masterKeyId - master key id. If null the default key will be used for compatibility reason.
New methods will be added to the IgniteConfiguration:
public IgniteConfiguration setEncryptionMasterKeyId(String keyId) - sets master key id.
...
MetaStorage will store master key id.
Currently, the joining node send sends hash MK for validation in attributes. Attributes can't be modified at runtime. So the joining node will send hash MK in JoiningNodeDiscoveryData
.
Jira | ||||||
---|---|---|---|---|---|---|
|