...
To support binary compatibility and keep code clean we creating a new successor of PageMetaIO - PageIndexMetaIO PageMetaIOV2 with the new same type T_INDEX_META.
We converting all existing T_META pages into T_INDEX_METAa new version.
We storing additional 8 bytes at the end of each T_INDEX_META and T_PART_META memory pages.
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | PagePartMetaModV2 |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 442441 |
---|
revision | 45 |
---|
|
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | PageIndexMetaModV2 |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 611 |
---|
revision | 5 |
---|
|
...
- Background re-encryption may affect performance. Performance impact can be managed using the following configuration options:
- reencryptionBatchSize - number of pages that are scanned during re-encryption under checkpoint lock.
- reencryptionRateLimit - page scanning speed limit in megabytes per second.
reencryptionThreadCnt - number of threads used for re-encryption(?).
- The WAL history can be not enough to store all entries between checkpoints (this should be carefully tuned by properly setting the size of the WAL history and tuning the re-encryption performance).
- The WAL history (for delta rebalancing) may be lost for all cache groups due to background re-encryption.
Public API changes
IgniteEncryption
New method will be introduced
public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGroupNames)
Metrics
Re-encryption process state in CacheGroupMetrics
- ReencryptionPagesLeft - (long) Total pages left for reencryption.
- ReencryptionFinished - (boolean) Indicates whether re-encryption is finished or not (it will set to true only when a checkpoint is finished).
Process management
The following commands should be added to the control.sh utility:
Rotate encryption key.
Code Block |
---|
language | bashtext |
---|
title | command syntax |
---|
|
control.(sh|bat) --encryption change_cache_key cacheGroupName --yes |
Code Block |
---|
language | bashtext |
---|
title | command output |
---|
|
The encryption key has been changed for cache group "default". |
...
View encryption key identifiers.
Code Block |
---|
language | bash |
---|
title | command syntax |
---|
|
control.(sh|bat) --encryption cache_key_ids cacheGroupName |
Code Block |
---|
language | bashtext |
---|
title | command output |
---|
|
Encryption key identifiers for cache: default
Node: d8a5a9bb6085d500-057e2736-41dd4c1f-9a50b47c-0a6fd8000001444cf0a00000:
1 (active)
0
Node: 60bcdb65d98654c0-27156dfb-4a744996-8e93993e-c6b8cdf00000387156300001:
1 (active)
0 |
View cache group re-encryption status.
Code Block |
---|
language | bash | | text |
---|
title | command syntax |
---|
|
Change the encryption key of the cache group:
control.(sh|bat) --encryption changereencryption_cache_key cacheGroupName
Get encryption key identifiers of the cache group:
status cacheGroupName |
Code Block |
---|
language | text |
---|
title | command output |
---|
|
Node 4ed26231-f92d-4b1c-86ba-7a117c200001:
1552 KB of data left for re-encryption
Node 89a456e5-59c5-4f13-a75b-39ab25000000:
1552 KB of data left for re-encryption |
Suspend cache group re-encryption.
Code Block |
---|
language | text |
---|
title | command syntax |
---|
|
control.(sh|bat) --encryption cachesuspend_key_ids cacheGroupName
Get cache group encryption statusreencryption cacheGroupName |
Code Block |
---|
language | text |
---|
title | command output |
---|
|
Node ad1328e7-11e0-4ecb-8ef2-066519e00001:
re-encryption of the cache group "default" has been suspended.
Node 2a9e291f-e2d1-46e3-9954-18deb0e00000:
re-encryption of the cache group "default" has been suspended. |
Resume cache group re-encryption.
Code Block |
---|
language | text |
---|
title | command syntax |
---|
|
control.(sh|bat) --encryption cache_key_ids cacheGroupName
Start cache group re-encryption:
control.(sh|bat) --encryption startresume_reencryption cacheGroupName
Stop |
Code Block |
---|
language | text |
---|
title | command output |
---|
|
Node 2ed43509-caab-48dc-a27d-3be65d800000:
re-encryption of the cache group re-encryption "default" has been resumed.
Node b52d6451-a948-48d5-b79a-411956700001:
re-encryption of the cache group "default" has been resumed. |
View/change re-encryption rate limit.
Code Block |
---|
language | text |
---|
title | command syntax |
---|
|
control.(sh|bat) --encryption stop_reencryption cacheGroupName
View/change re-encryption rate limit:
control.(sh|bat) --encryption reencryption_rate [limit]
Parameters:
limit - decimal value to change rate limit (MB/s) |
Public API changes
IgniteEncryption
New method will be introduced
public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGroupNames)
Metrics
Re-encryption process state in CacheGroupMetrics
...
Code Block |
---|
language | text |
---|
title | command output |
---|
|
Node 15cb8485-0c09-4361-b267-107d38400000:
re-encryption rate has been limited to 0.01 MB/s.
Node 909ed414-22e6-477b-b2ca-d1934cd00001:
re-encryption rate has been limited to 0.01 MB/s |
...
Reference Links
- PCI DSS Requirements and Security Assessment Procedures
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - How Often Do I Need to Rotate Encryption Keys on My SQL Server?
https://info.townsendsecurity.com/bid/49019/How-Often-Do-I-Need-to-Rotate-Encryption-Keys-on-My-SQL-Server - PCI DSS and key rotations simplified
https://www.crypteron.com/blog/pci-dss-key-rotations-simplified/ - Transparent Data Encryption in MS SQL Server
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15 - Oracle Transparent Data Encryption FAQ
https://www.oracle.com/database/technologies/faq-tde.html - InnoDB Data-at-Rest Encryption
https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html - Transparent data encryption feature proposed in pgsql-hackers.
https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#Key_Rotation
...