(iotdb) branch master updated: use environment variable and PBKDF to generate main encrypt key (#15711)

Mon, 16 Jun 2025 02:52:04 -0700 

This is an automated email from the ASF dual-hosted git repository.

jiangtian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new c5b8d9c8c25 use environment variable and PBKDF to generate main 
encrypt key (#15711)
c5b8d9c8c25 is described below

commit c5b8d9c8c257047bf88ffc773a6ad012fc667402
Author: jintao zhu <[email protected]>
AuthorDate: Mon Jun 16 17:41:08 2025 +0800

    use environment variable and PBKDF to generate main encrypt key (#15711)
    
    * use environment variable and PBKDF to generate main encrypt key
    
    * modify the error information
---
 .../org/apache/iotdb/db/conf/IoTDBDescriptor.java  |  3 ---
 .../org/apache/iotdb/db/conf/IoTDBStartCheck.java  | 29 +++++++++++-----------
 pom.xml                                            |  2 +-
 3 files changed, 16 insertions(+), 18 deletions(-)

diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBDescriptor.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBDescriptor.java
index dfd854f724c..a4d199f662d 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBDescriptor.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBDescriptor.java
@@ -1791,9 +1791,6 @@ public class IoTDBDescriptor {
     TSFileDescriptor.getInstance()
         .getConfig()
         .setEncryptType(properties.getProperty("encrypt_type", "UNENCRYPTED"));
-    TSFileDescriptor.getInstance()
-        .getConfig()
-        .setEncryptKeyFromPath(properties.getProperty("encrypt_key_path", ""));
   }
 
   // Mqtt related
diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBStartCheck.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBStartCheck.java
index 27c0a767797..ea05a8dec98 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBStartCheck.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBStartCheck.java
@@ -29,10 +29,10 @@ import org.apache.iotdb.consensus.ConsensusFactory;
 import org.apache.iotdb.db.storageengine.dataregion.wal.utils.WALMode;
 import org.apache.iotdb.db.storageengine.rescon.disk.DirectoryChecker;
 
-import com.google.common.base.Objects;
 import org.apache.commons.io.FileUtils;
-import org.apache.tsfile.common.conf.TSFileConfig;
+import org.apache.tsfile.common.conf.TSFileDescriptor;
 import org.apache.tsfile.encrypt.EncryptUtils;
+import org.apache.tsfile.exception.encrypt.EncryptException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -41,6 +41,7 @@ import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Objects;
 import java.util.Properties;
 import java.util.function.Supplier;
 
@@ -306,11 +307,19 @@ public class IoTDBStartCheck {
   }
 
   public void serializeEncryptMagicString() throws IOException {
+    if 
(!Objects.equals(TSFileDescriptor.getInstance().getConfig().getEncryptType(), 
"UNENCRYPTED")
+        && !Objects.equals(
+            TSFileDescriptor.getInstance().getConfig().getEncryptType(),
+            "org.apache.tsfile.encrypt.UNENCRYPTED")) {
+      String token = System.getenv("user_encrypt_token");
+      if (token == null || token.trim().isEmpty()) {
+        throw new EncryptException(
+            "encryptType is not UNENCRYPTED, but user_encrypt_token is not 
set. Please set it in the environment variable.");
+      }
+    }
     String encryptMagicString =
         EncryptUtils.byteArrayToHexString(
-            EncryptUtils.getEncrypt()
-                .getEncryptor()
-                .encrypt(magicString.getBytes(TSFileConfig.STRING_CHARSET)));
+            TSFileDescriptor.getInstance().getConfig().getEncryptKey());
     systemProperties.put(ENCRYPT_MAGIC_STRING, () -> encryptMagicString);
     generateOrOverwriteSystemPropertiesFile();
   }
@@ -354,15 +363,7 @@ public class IoTDBStartCheck {
     String encryptMagicString = properties.getProperty("encrypt_magic_string");
     if (encryptMagicString != null) {
       byte[] magicBytes = 
EncryptUtils.hexStringToByteArray(encryptMagicString);
-      String newMagicString =
-          new String(
-              EncryptUtils.getEncrypt().getDecryptor().decrypt(magicBytes),
-              TSFileConfig.STRING_CHARSET);
-      if (!Objects.equal(magicString, newMagicString)) {
-        logger.error("encrypt_magic_string is not matched");
-        throw new ConfigurationException(
-            "Changing encrypt key for tsfile encryption after first start is 
not permitted");
-      }
+      TSFileDescriptor.getInstance().getConfig().setEncryptKey(magicBytes);
     }
   }
 }
diff --git a/pom.xml b/pom.xml
index ee463c157f7..79faeb15f75 100644
--- a/pom.xml
+++ b/pom.xml
@@ -175,7 +175,7 @@
         <thrift.version>0.14.1</thrift.version>
         <xz.version>1.9</xz.version>
         <zstd-jni.version>1.5.6-3</zstd-jni.version>
-        <tsfile.version>2.1.0-250521-SNAPSHOT</tsfile.version>
+        <tsfile.version>2.1.0-250612-SNAPSHOT</tsfile.version>
     </properties>
     <!--
     if we claim dependencies in dependencyManagement, then we do not claim

Reply via email to