[ 
https://issues.apache.org/jira/browse/IGNITE-12843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pavel Pereslegin updated IGNITE-12843:
--------------------------------------
    Description: 
Add the ability to rotate (change) the cache group encryption key.

The design is described here: 
[https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Processdescription]
h3. Additional notes about binary format changes.
h4. PageMetaIO and PagePartitionMetaIO format

Reencryption status requires an additional 8 bytes on the meta page of each 
partition.
 Index partition uses PageMetaIO to read/write meta information.
 Each other partition uses PagePartitionMetaIO to read/write meta information.

Partition meta starts just after the end of the page meta.
 To store additional 8 bytes partition meta shifted by 8 bytes.

WAL delta records have also been modified to store reencryption status.
h4. Encrypted page format

Each encrypted page has reserved free space to store encrypted page CRC.
 The size of this free space depends on the size of the encryption block, but 
cannot be less than 8 bytes (Ignite default encryption implementation 
(KeystoreEncryptionSpi) uses AES with 16 bytes block size).

Added 1 byte for encryption key ID on each encrypted page (after CRC).
 (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed 
accordingly)

  was:
Add the ability to rotate (change) the cache encryption key.

Design described here: 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Processdescription


> TDE Phase-3. Cache key rotation.
> --------------------------------
>
>                 Key: IGNITE-12843
>                 URL: https://issues.apache.org/jira/browse/IGNITE-12843
>             Project: Ignite
>          Issue Type: Sub-task
>            Reporter: Pavel Pereslegin
>            Assignee: Pavel Pereslegin
>            Priority: Major
>              Labels: IEP-18
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Add the ability to rotate (change) the cache group encryption key.
> The design is described here: 
> [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Processdescription]
> h3. Additional notes about binary format changes.
> h4. PageMetaIO and PagePartitionMetaIO format
> Reencryption status requires an additional 8 bytes on the meta page of each 
> partition.
>  Index partition uses PageMetaIO to read/write meta information.
>  Each other partition uses PagePartitionMetaIO to read/write meta information.
> Partition meta starts just after the end of the page meta.
>  To store additional 8 bytes partition meta shifted by 8 bytes.
> WAL delta records have also been modified to store reencryption status.
> h4. Encrypted page format
> Each encrypted page has reserved free space to store encrypted page CRC.
>  The size of this free space depends on the size of the encryption block, but 
> cannot be less than 8 bytes (Ignite default encryption implementation 
> (KeystoreEncryptionSpi) uses AES with 16 bytes block size).
> Added 1 byte for encryption key ID on each encrypted page (after CRC).
>  (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed 
> accordingly)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to