You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

Motivation

Master key rotation required in case of it compromising or at the end of crypto period (key validity period). 

Design assumes that administrator will provide ability to get new master key by EncryptionSPI from underlying storage.

Definitions

  • MK – Master KeyEncrypts group keys. Master key is stored in some key storage. Master keys identified by String masterKeyName .

Prerequisites

New master key should be available to EncryptionSPI for each server node.

Process management

Users can control the master key rotation process key via  some kind of user interface(CLI, JMX, Java API). 

  • JAVA API:
    ignite.encryption().changeMasterKey(String masterKeyName)  - starts master key rotation process.
    String ignite.encryption().getMasterKeyName()  - gets current master key name.

  • JMX:
    changeMasterKey(String masterKeyName)  - starts master key rotation process.
    String getMasterKeyName()   - gets current master key name.

  • CLI:
    # Starts master key rotation.
    control.sh --encryption change_master_key newMasterKeyName

    # Displays cluster's current master key name.
    control.sh --encryption get_master_key_name

Process description

  1. A node creates the MasterKeyChangeMessage  message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key. 
    1. Initiating message should contain: 
      1. New master key id
      2. New master key hash.
    2. When server node processed message following actions are executed:
      1. It obtain hash of new master key.
      2. Compares it with the one in message
      3. If it differs then error added to the message.
      4. Store locally master key id and hash.
  2. If on step1 there are some errors we log it and cancel process. Otherwise got to step3.
  3. The MasterKeyChangeMessage  ack action message is sent by discovery as a custom event.
    1. Action message sould contain:
      1. New master key id.
      2. New master key hash.
    2. When server node processed message following actions are executed: 
      1. It checks that there are no errors in the message and the cluster is active (WAL should be available for a write to correctly log changes and survive cluster restarts). Otherwise, cancel process with error.
      2. Checks that master key id and hash is the same as it was taken from the first message. Otherwice, we log it and cancel process.
      3. Blocks creation of encrypted cache key.
      4. Reencrypt all cache group keys with new master key in a temporary datastructure. No changes in MetaStore.
      5. Create WAL logical record (ChangeMasterKeyRecord ) that consist of:
        1. New master key id
        2. Reenctyped cache group keys.
      6. Write cache group keys to MetaStore .
      7. Unblock creation of encrypted cache key. 

Process completion

Process completes when all nodes in cluster will process action message.

Corner cases

Node was down during key rotation. MasterKeyChangeRecord was not found.

If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key.

To update this node user should run ignite with system property (IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP=newMasterKeyId)

The node will re-encrypt cache keys with new MK and try to join to cluster.

Node was down during key rotation. MasterKeyChangeRecord found.

A node should not try to join to the cluster before the process of ChangeMasterKeyRecord. Regardless of whether the key rotation was finished successfully or not, the recovery will be from the record.

  1. If during node recovery with logical records we found ChangeMasterKeyRecord  it passed to EncryptionManager .
  2. When MetaStore becomes available for write, EncryptionManager  writes new cache group keys to it.

Node join during key rotation process

Reject node join. It may lead to inconsistent master keys in cluster.

Cache start during key rotation process

Cache keys must not be created during the master key rotation process. So, a node will throw an exception if a user will start cache during the key rotation process.

Public java API changes

EncryptionSpi

The concept of the masterKeyId will be added to the cache keys encryption process in EncryptionSpi :

New methods will be introduced:

  • setMasterKeyName(String masterKeyName)  // Sets "current" master key name
  • String getMasterKeyName()  // Gets "current" master key name

Follow methods will work with master key that setted by previous method:

  • byte[] masterKeyDigest() 
  • byte[] encryptKey(Serializable key) 
  • Serializable decryptKey(byte[] key) 

This is necessary so that ignite can decrypt cache keys with the old master key and encrypt with the new one.


Code changes

Meta Storage

Meta storage will store master key name. Key name from meta storage has a higher priority to key name from EncryptionSpi .

Node attribute

Currently joining node send hash MK for validation in attributes. Attributes can't be modified at runtime. So joining node will send hash MK in JoiningNodeDiscoveryData .

Tickets

Unable to render Jira issues macro, execution error.

  • No labels

Apache Ignite