Dima, great job!

Looking forward to the feature completion!

On Fri, Mar 2, 2018 at 9:23 AM, Denis Magda <dma...@apache.org> wrote:
> Dmitriy R., Nilokay,
>
> Thanks for the analysis and handout of the architectural design. No doubts,
> it would be a valuable addition to Ignite.
>
> I would encourage you creating an IEP on the wiki and break the work into
> pieces discussing specific part with the community.
>
> --
> Denis
>
>
> On Thu, Mar 1, 2018 at 9:29 PM, Nikolay Izhikov <nizhi...@apache.org> wrote:
>
>> Hello, Dmitriy.
>>
>> Thank you for feedback!
>>
>> > Will it be supported?
>>
>> Yes.
>>
>> TDE shouldn't broke any of existing Ignite features.
>> It adds some encrypt/decrypt level when we writing and reading pages
>> in/from PDS.
>>
>> В Пт, 02/03/2018 в 07:29 +0300, Dmitriy Setrakyan пишет:
>> > I have looked at the design, but could not find anything about running
>> SQL
>> > queries against the encrypted data. Will it be supported?
>> >
>> > D.
>> >
>> > On Thu, Mar 1, 2018 at 8:05 PM, Nikolay Izhikov <nizhi...@apache.org>
>> wrote:
>> >
>> > > Hell, Dima!
>> > >
>> > > Thank you for document!
>> > >
>> > > I'm ready to implement this feature with you.
>> > >
>> > > Igniters, please, share you thoughts about proposed design
>> > >
>> > > [1] https://1drv.ms/w/s!AqZdfua4UpmuhneoVhOCiXSUBGIf
>> > >
>> > > В Чт, 01/03/2018 в 15:46 +0300, Дмитрий Рябов пишет:
>> > > > Hello, Igniters!
>> > > >
>> > > > I investigated the issue and wrote some details in a draft document
>> > > > [1]. I think we should made IEP for TDE because it is a big change
>> and
>> > > > should be described in a single place, but not in a message
>> > > > conversation.
>> > > > Please, look it and write your thoughts. What is not understandable,
>> > > > what should be detailed or described?
>> > > >
>> > > > > Where are we going to store keys (MEK) physically? Would it be
>> PKCS#11
>> > > > > storage? Where we will store passwords to unlock storage or it
>> will be
>> > > > > responibilty of user?
>> > > >
>> > > > I think we should provide interface for MEK storage to let users use
>> > > > storages they want. I suppose at the first step we should provide
>> very
>> > > > simple implementation, which will store MEK on every node and MEK
>> will
>> > > > be extracted by administrator during cluster activation process. Once
>> > > > MEK is extracted from key store, we decrypt CEKs and destroy open
>> MEK,
>> > > > leaving open only cache keys.
>> > > >
>> > > > I think external storage is user's worry and we shouldn't give users
>> > > > built-in external storage like Oracle Wallet or Microsoft Azure Key
>> > > > Vault because it will increase Ignite's complexity too much.
>> > > >
>> > > > And yes, we should to comply with the standards like PKCS#11.
>> > > >
>> > > > > One more thing is how "node gets MEK from coordinator", if we send
>> > > > > cleartext MEK, such security becomes useless also.
>> > > >
>> > > > Yeah, that's why we should use secured connection. As I know, we have
>> > > > SSL implementation over JDK implementation, am I right? But we must
>> > > > ensure to use latest SSL/TLS version.
>> > > >
>> > > > [1] https://1drv.ms/w/s!AqZdfua4UpmuhneoVhOCiXSUBGIf
>>



-- 
Best Regards, Vyacheslav D.

Reply via email to