Hi Nikolay,
I'll take a look at the nearest time.
On Sat, Jun 9, 2018 at 6:14 PM, Nikolay Izhikov wrote:
> Hello, guys.
>
> I've implement prototype of TDE implementation [1]
> Vladimir, can you do some prereview of this prototype?
> Any feedback on public API or any other part of implementation are welcome.
>
> I have several questions I want to discuss.
>
> 1. Right place for a cache(data) key:
>
> Currently, all options that controls data persistence located in
> DataStorageConfiguration
> And TDE design propose to store key for a cache encryption in
> Cache Metadata.
>
> We can store cache key in Cache Metadata(I already implemented it
> in prototype).
> But, wouldn't it be more convenient to have encrypted DataRegion,
> so all caches that use encrypted DataRegion will become encrypted?
>
> 2. Encryption key for a WAL.
>
> Should we use separate key for a WAL encryption?
> If we want to use cache keys for a WAL encryption it adds some
> difficulties to implement:
>
> 1. We should add cacheId for each encrypted record to have
> possibility to decrypt it.
> 2. We can't decrypt Wal record if cache was destroyed
> after record creation.
>
> Thoughts?
>
> Prototype restrictions:
>
> Currently, size of encrypted data should be equal to clear data because
> FilaPageStore checks it on file validation.
> Actually, AES CBC algorithm discussed in IEP adds some extra bytes to
> encrypted data.
> So, I plan to implement possibility to enhance page size on FilePageStore
> level in a few days.
>
> [1] https://github.com/apache/ignite/pull/4167
