Master key rotation required in case of it compromising or at the end of crypto period(key validity period).
Design assumes that administrator will provide ability to get new master key by EncryptionSPI from underlying storage.
String masterKeyId
.New master key should be available to EncryptionSPI for each server node.
Users can control the master key rotation process key via some kind of user interface(CLI, JMX, Java API).
ignite.encryption().changeMasterKey(String masterKeyId)
- starts master key rotation process.String ignite.encryption().getMasterKeyId()
- gets current master key id.changeMasterKey(String masterKeyId)
- starts master key rotation process.String getMasterKeyId()
- gets current master key id.control.sh --encryption change_master_key newMasterKeyId
control.sh --encryption get_master_key
ignite.sh --change-master-key newMasterKeyId
ChangeMasterKeyMessage
message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key. ChangeMasterKeyFinishMessage
action message is sent by discovery as a custom event.ChangeMasterKeyRecord
) that consist of:MetaStore
.Process completes when all nodes in cluster will process action message.
If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key.
To update this node user should run ignite with command to change master key before join:
ignite.sh --change-master-key newMasterKeyId
The node will re-encrypt cache keys with new MK and try to join to cluster.
A node should not try to join to the cluster before the process of ChangeMasterKeyRecord
. Regardless of whether the key rotation was finished successfully or not, the recovery will be from the record.
ChangeMasterKeyRecord
it passed to EncryptionManager
.EncryptionManager
writes new cache group keys to it.Reject node join. It may lead to inconsistent master keys in cluster. (Or if it possible to delay until key rotation process ends)
Cache keys must not be created during the master key rotation process. So, a node will throw an exception if a user will start cache during the key rotation process.
The concept of the masterKeyId will be added to the cache keys encryption process in EncryptionSpi:
New methods will be introduced:
setMasterKeyId(String masterKeyId)
// Sets "current" master key idString getMasterKeyId()
// Gets "current" master key idFollow methods will work with master key that setted by previous method:
byte[] masterKeyDigest()
byte[] encryptKey(Serializable key)
Serializable decryptKey(byte[] key)
This is necessary so that ignite can decrypt cache keys with the old master key and encrypt with the new one.
Meta storage will store master key id. Key id from meta storage has a higher priority to key id from EncryptionSpi.
Currently joining node send hash MK for validation in attributes. Attributes can't be modified at runtime. So joining node will send hash MK in JoiningNodeDiscoveryData
.