Re: [PR] feat(encryption): add key manager [incubator-pegasus]

Wed, 20 Dec 2023 20:06:58 -0800 


Samunroyu commented on code in PR #1706:
URL: 
https://github.com/apache/incubator-pegasus/pull/1706#discussion_r1433453244


##########
src/replica/replica_stub.cpp:
##########
@@ -389,9 +422,44 @@ void replica_stub::initialize(const replication_options 
&opts, bool clear /* = f
         }
     }
 
+    if (FLAGS_encrypt_data_at_rest) {
+        key_provider.reset(new dsn::security::KMSKeyProvider(
+            ::absl::StrSplit(FLAGS_hadoop_kms_url, ",", ::absl::SkipEmpty()),
+            FLAGS_encryption_cluster_key_name));
+    }
+
+    std::string server_key;
+    dsn::replication::replica_kms_info kms_info;
+    if (key_provider && !utils::is_empty(FLAGS_hadoop_kms_url)) {
+        auto err = kms_info.load(_options.data_dirs[0]);
+        if (err != dsn::ERR_OK) {
+            LOG_WARNING("Can't open kms-info file to read, this is normal when 
first launch "
+                        "process. err = {}",
+                        err);
+        }
+        // The encryption key should empty when process upon the first launch. 
And the process will
+        // get eek,iv,kv from kms.
+        // After first launch, the encryption key should not empty and get 
from kms-info file. The
+        // process get dek(a.k.a Decrypted Encryption Key) from kms.
+        if (kms_info.eek.empty()) {
+            auto err =
+                key_provider->GenerateEncryptionKey(&kms_info.eek, 
&kms_info.iv, &kms_info.kv);
+            CHECK(err, "get encryption key failed, err = {}", err);
+        }
+        CHECK(
+            key_provider->DecryptEncryptionKey(kms_info.eek, kms_info.iv, 
kms_info.kv, &server_key),
+            "get decryption key failed");
+        FLAGS_server_key = server_key.c_str();
+    }
+
     // Initialize the file system manager.
     _fs_manager.initialize(_options.data_dirs, _options.data_dir_tags);
 
+    if (key_provider && !utils::is_empty(FLAGS_hadoop_kms_url)) {

Review Comment:
   The rocksdb::env and _options.data_dirs  initialized during 
_fs_manager.initialize(). So it need to get decrypted key before 
_fs_manager.initialize() for env initialize, and store encrypted key after 
_options.data_dirs  initialize.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to