You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 5
Next »
Key rotation required in case of it compromising or at the end of crypto period(key validity period).
Design assumes that administrator will provide ability to get new master key by EncryptionSPI from underlying storage.
Goal:
To implement ability to rotate master encryption key.
New processes:
Master key rotation.
Master key rotation recovery start.
New administrator commands:
Master keys view: node -> master key hash
Cache group keys view: node -> group name -> encryption key hash
Master Key rotation:
Process start:
Administrator initiates key rotation via some kind of user interface(CLI, Visor, Web Console, JMX, etc).
Process description:
- Initiating message is sent by discovery.
- Initiating message should contain:
- New master key hash.
- New master key id.
- When server node processed message following actions are executed:
- It obtain hash of new master key.
- Compares it with the one in message
- If it differs then error added to the message.
- If on step1 there are some errors we log it and cancel process. Otherwise got to step3.
- Action message is sent by discovery.
- Action message sould contain:
- New master key hash.
- New master key id.
- When server node processed message following actions are executed:
- Blocks creation of encrypted cache key.
- Encrypt cache group keys with new master key.
- Unblock creation of encrypted cache key.
- EncryptionSPI executes keys rotation (implementation specific).
Atomic keys rotation should be done in the following way:
- Reencrypt all cache group keys with new master key in a temporary datastructure.
No changes in MetaStore. - Create WAL logical record (MasterKeyChangeRecord) that consist of:
- New master key hash
- Reenctyped cache group keys.
- Write cache group keys to MetaStore.
Node recovery:
- If during node recovery with logical records we found MasterKeyChangeRecord it passed to EncryptionManager.
- When MetaStore becomes available for write, EncryptionManager writes new cache group keys to it.
Process completion:
Process completes when all nodes in cluster will process action message.
Master key rotation recovery start
Motivation:
If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key has.
To update this node design introduce master key recovery start option.
Process start:
Administartor initiates process by providing startup option.
Process description:
Node should execute following steps before join to the cluster:
- Obtain old master key by id
- Obtain new master key by id
- Reencrypt cache group keys with new master key and store it to metastore.
- EncryptionSPI executes keys rotation (implementation specific).