Hello, Igniters. TDE. Phase 1 [1] is ready for review [2].
I meet some corner cases during development I want to describe:
1. Creation of Cache Group Encryption Keys:
1.1. To build cache create request we has to create Cache Group
Encryption Key.
1.2. To create Cache Group Encryption Key we must have Master
Encryption Key.
1.3. It's required to have Master Encryption Key only on server nodes.
1.4. So, there is no way to generate cache create request for an
encrypted cache on client node.
I see two possible solution:
1. Create Cache Group Encryption Key on coordinator and send it
to all server nodes.
2. Send all params for cache creation to some server node.
Server node will execute regular cache creation on receiving request.
I propose to postpone this task and disallow creation of encrypted
cache from client node on first iteration.
2. Encryption of pages:
2.1 To gain maximum performance from HDD(SSD) we made page size size of
2(2Kb, 4Kb, etc.)
2.2 AES CBC mode requires additional 32 bytes. 16 bytes for a random
initialization vector. 16 bytes for a padding information.
2.3 If we encrypt whole page it size increases to 32 bytes.
To fit exactly "power of two" size when writing a page I apply next
solution:
I don't use 32 bytes in the end of each page for encrypted cache.
So, on write time 32 bytes encryption overhead added and overall data
size fits config page size.
Please, share you thoughts.
[1] https://issues.apache.org/jira/browse/IGNITE-8485
[2] https://github.com/apache/ignite/pull/4167
[3]
https://cwiki.apache.org/confluence/display/IGNITE/IEP-18%3A+Transparent+Data+Encryption
[4]
http://apache-ignite-developers.2346864.n4.nabble.com/Transparent-Data-Encryption-TDE-in-Apache-Ignite-td18957.html
signature.asc
Description: This is a digitally signed message part
