ID | IEP-18 |
Author | Dmitrii Ryabov |
Sponsor | Nikolay Izhikov |
Created | 26 March 2018 |
Status | ACTIVE |
Transparent data encryption automatically and silently protects data in rest (persistence). It will allow users to minimize the effort for data protection. TDE should comply with standards like PKCS and PCI DSS, so users will spend less for data protection.
CEK – Cache Encryption Key. Encrypts data, encrypted by MEK.
MEK – Master Encryption Key. Encrypts CEK. MEK is stored in some key storage.
TDE – Transparent Data Encryption.
IgniteConfiguration. EncryptionSpi instnce should be configured to setup
EncryptionSpi – Spi that provide possibilities:
Obtain master key hash.
Create new cache key.
CacheConfiguration:
Encrypted CEKs are stored in the Meta Store.
Encrypted MEK is stored in a key storage, which has to be accessible from every server node (java.security.KeyStore is good for basic implementation because it complies with PKCS#11 and PKCS#12 [3]).
MEK and CEKs are stored in encrypted form.
MEK must be accessible during node start.
CEKs are decrypted on MetaStore initialization(node start)
Every encrypted cache must have its own CEK.
Opened keys must be destroyed when they aren't needed anymore (MEK – when CEKs are encrypted, CEKs - when a node is going down). This requirement came from PCI DSS 3.6.5 [4].
When a user makes an operation on secured cache everything goes as usual except 2 moments:
The encryption algorithm implementation is provided by EncryptionSpi implementation.
For default implementation(KeystoreEncryptionSpi) it's AES.
PKCS#11 - http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
PCI DSS Glossary - https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf
PKCS#12 - https://tools.ietf.org/html/rfc7292
PCI DSS - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Java Cryptography Architecture - https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html