Master key(MK) rotation required in case of it compromising or at the end of crypto period(key validity period).
Design assumes that administrator will provide ability to get new master key by EncryptionSPI from underlying storage.
Master keys will be identified by String keyId.
Administrator initiates key rotation via some kind of user interface(CLI, JMX, Java API, etc).
JAVA API:
ignite.encryption().changeMasterKey(String keyId) - starts master key rotation process.
String ignite.encryption().getMasterKeyId() - gets current master key id.
JMX:
changeMasterKey(String keyId)
String getMasterKeyId()
CLI:
control.sh
Process completes when all nodes in cluster will process action message.
If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key has.
To update this node design introduce master key recovery process:
Option 1 (auto). Cluster send to joining node his master key id. The joining node re-encrypt cache keys and tries to join to cluster.
Option 2 (manual). Administrator change master key id in the configuration. When the node starts it reads master key id from meta storage. If keys differ node will re-encrypt cache keys and tries to join to cluster.
Reject node join. It may lead to inconsistent master keys in cluster. (Or if it possible to delay until key rotation process ends)
Cache keys must not be created during the master key rotation process. So, a node will throw an exception if a user will start cache during the key rotation process.
Current methods | New methods |
---|---|
byte[] masterKeyDigest(); | byte[] masterKeyDigest(String masterKeyId); |
byte[] encryptKey(Serializable key); | byte[] encryptKey(Serializable key, String masterKeyId); |
Serializable decryptKey(byte[] key); | Serializable decryptKey(byte[] key, String masterKeyId); |
where masterKeyId - master key id. If null the default key will be used for compatibility reason.
Add new methods:
public IgniteConfiguration setEncryptionMasterKeyId(String keyId) - sets master key id.
public String getEncryptionMasterKeyId()
MetaStorage will store master key id.
Currently joining node send hash MK for validation in attributes. Attributes can't be modified at runtime. So joining node will send hash MK in JoiningNodeDiscoveryData.