Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi Nikolay, I don't mean we should release TDE without WAL, I mean we can consider phase-1 as minmal mergeable chunk of functionality, which does not fail tests and contains meaningfull set of changes for TDE. Sincerely, Dmitriy Pavlov пн, 14 мая 2018 г. в 17:45, Nikolay Izhikov : > Dmitry. > >

Re: Transparent Data Encryption (TDE) in Apache Ignite

Dmitry. From my point of view, WAL encryption should be done in Phase-1. We should provide only production ready features to the users, isn't it? Ticket for a phase-1 created - https://issues.apache.org/jira/browse/IGNITE-8485 I'm starting working on it and expecting to implement it in a couple

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi Nickolay, Thank you for sharing results. I would suggest to make phase 1 as small as possible, for example, skipping WAL encryption or something like that. It would not be full TDE implementation, but will allow us to move by small steps, it also allows us to merge smaller changes to master.

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, guys. We had private discussion about TDE with Dmitriy Pavlov, Vladimir Ozerov and Anton Vinogradov. Some decisions was made I want to approve with communtiy: 1. Current design of TDE is OK. We can start work on implementation. 2. We should split implementation to phases. So we

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi, just 2 remarks, 1) We should somehow separate issue with disc corruption and incorrect key. For incorrect key I suggest to adopt Key Check Value (KCV) techique. It is some heading bytes (e.g. 3 bytes) of encrypted 00...00 block using this key. KCV allow us to check key decrypted correctly and

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Guys. Here are answers to the TDE design questions. I will create FAQ in IEP-18 with this answers, also. > 1. MEK, CEK rotation. Should we provide the way to change(regenerate) MEK, > CEK from time to time? Yes. PCI DSS are require it. See 3.6.4, 3.6.5 sections. > 2. Does CEK(table key

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Igniters. We've discussed TDE design privately with some respected community members including Vladimir Ozerov and Alexey Goncharyuk. Here the list of questions we have to address before starting TDE implementation: 1. MEK, CEK rotation. Should we provide the way to change(regenerate) M

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Manu Thanks. I will take a look. В Пт, 20/04/2018 в 03:17 -0700, Manu пишет: > Hi, > > Have you think about implementing TDE per DataRegion instead of per Cache? > > And using a transparent encrypted java file system? > This GitHub project is interesting https://github.com/usrflo/enc

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi, Have you think about implementing TDE per DataRegion instead of per Cache? And using a transparent encrypted java file system? This GitHub project is interesting https://github.com/usrflo/encfs4j . Hope it helps! Regards! -- Sent from: http://apac

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi! > As far as I remember to be PCI-DSS compliant it is sufficient to use > encryption at file system level. But it needs to be double-checked. It > requires encrypt transmission of cardholder data across open, public > networks. Could you point me where does it require DB data to be encrypted?

Re: Transparent Data Encryption (TDE) in Apache Ignite

Folks, I've checked presentation. 1) It's a bad idea to allow automatic node join (sending decripted cache's keys on join). Each node join should be allowed by administrator. We have to use two-step verification in that case. - admitistrator set keystore password for each node - another administ

Re: Transparent Data Encryption (TDE) in Apache Ignite

Nikolay, please try on more time. -- Denis On Sun, Mar 11, 2018 at 11:20 PM, Nikolay Izhikov wrote: > Hello, Denis. > > Did you give me the permissions? > Seems, I still can't create IEP on the IGNITE Wiki. > > https://cwiki.apache.org/confluence/display/IGNITE/Active+Proposals > > В Вт, 06/03/

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Denis. Did you give me the permissions? Seems, I still can't create IEP on the IGNITE Wiki. https://cwiki.apache.org/confluence/display/IGNITE/Active+Proposals В Вт, 06/03/2018 в 08:55 +0300, Nikolay Izhikov пишет: > Thank you, it's - nizhikov > > В Пн, 05/03/2018 в 15:09 -0800, Denis Ma

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi Nikolay, Please note there is cluster-auto activation when it reaches baseline topology. As far as I remember to be PCI-DSS compliant it is sufficient to use encryption at file system level. But it needs to be double-checked. It requires encrypt transmission of cardholder data across open, pub

Re: Transparent Data Encryption (TDE) in Apache Ignite

Alexey, Yes, administrator has to enter password before cluster *activation*(not start). В Вт, 06/03/2018 в 13:27 +0300, Alexey Goncharuk пишет: > Nikolay, > > Does it mean that administrator must enter the MEK password upon Ignite > start? > > 2018-03-06 13:24 GMT+03:00 Nikolay Izhikov : > >

Re: Transparent Data Encryption (TDE) in Apache Ignite

Nikolay, Does it mean that administrator must enter the MEK password upon Ignite start? 2018-03-06 13:24 GMT+03:00 Nikolay Izhikov : > Hello, Alexey. > > Thank you for very helpfull feedback. > We certainly consider all the issues you written. > > > How encryption keys will be stored and accesse

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Alexey. Thank you for very helpfull feedback. We certainly consider all the issues you written. > How encryption keys will be stored and accessed? *MEK(Master encryption key)* will be stored in regular java key store JKS [1]. To access it admin must enter key store password. *CEK(Cache e

Re: Transparent Data Encryption (TDE) in Apache Ignite

My bad, the correct link is https://issues.apache.org/jira/browse/IGNITE-5829 2018-03-06 13:04 GMT+03:00 Alexey Goncharuk : > Guys, > > I think this TDE proposal is not thought through enough yet. Please > consider the following points when writing the IEP: > > * How encryption keys will be stor

Re: Transparent Data Encryption (TDE) in Apache Ignite

Guys, I think this TDE proposal is not thought through enough yet. Please consider the following points when writing the IEP: * How encryption keys will be stored and accessed? If the encryption key is stored with the same permissions as the main data storage, the whole exercise with encryption

Re: Transparent Data Encryption (TDE) in Apache Ignite

Thank you, it's - nizhikov В Пн, 05/03/2018 в 15:09 -0800, Denis Magda пишет: > Nikolay, what's your Wiki ID? I'll grant you required permissions. > > -- > Denis > > On Sun, Mar 4, 2018 at 11:00 PM, Nikolay Izhikov wrote: > > Hello, Denis. > > > > > I would encourage you creating an IEP > > >

Re: Transparent Data Encryption (TDE) in Apache Ignite

Nikolay, what's your Wiki ID? I'll grant you required permissions. -- Denis On Sun, Mar 4, 2018 at 11:00 PM, Nikolay Izhikov wrote: > Hello, Denis. > > > I would encourage you creating an IEP > > That is exactly what we want to do :) > > But seems I have not sufficient privileges to do it on Ig

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Denis. > I would encourage you creating an IEP That is exactly what we want to do :) But seems I have not sufficient privileges to do it on Ignite wiki. https://cwiki.apache.org/confluence/display/IGNITE/Active+Proposals Can you or someone give me such rights? В Чт, 01/03/2018 в 22:23

Re: Transparent Data Encryption (TDE) in Apache Ignite

Dima, great job! Looking forward to the feature completion! On Fri, Mar 2, 2018 at 9:23 AM, Denis Magda wrote: > Dmitriy R., Nilokay, > > Thanks for the analysis and handout of the architectural design. No doubts, > it would be a valuable addition to Ignite. > > I would encourage you creating an

Re: Transparent Data Encryption (TDE) in Apache Ignite

Dmitriy R., Nilokay, Thanks for the analysis and handout of the architectural design. No doubts, it would be a valuable addition to Ignite. I would encourage you creating an IEP on the wiki and break the work into pieces discussing specific part with the community. -- Denis On Thu, Mar 1, 2018

Re: Transparent Data Encryption (TDE) in Apache Ignite

> Got it, thanks! In this case this sounds very useful. Do we understand the > performance impact? I don't think we fully understand it. It's a question of additional research and benchmarking. So preliminary conclusions, based on common sense and my experiense of usage Ignite in production, a

Re: Transparent Data Encryption (TDE) in Apache Ignite

On Fri, Mar 2, 2018 at 8:29 AM, Nikolay Izhikov wrote: > Hello, Dmitriy. > > Thank you for feedback! > > > Will it be supported? > > Yes. > > TDE shouldn't broke any of existing Ignite features. > It adds some encrypt/decrypt level when we writing and reading pages > in/from PDS. > Got it, thank

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Dmitriy. Thank you for feedback! > Will it be supported? Yes. TDE shouldn't broke any of existing Ignite features. It adds some encrypt/decrypt level when we writing and reading pages in/from PDS. В Пт, 02/03/2018 в 07:29 +0300, Dmitriy Setrakyan пишет: > I have looked at the design,

Re: Transparent Data Encryption (TDE) in Apache Ignite

I have looked at the design, but could not find anything about running SQL queries against the encrypted data. Will it be supported? D. On Thu, Mar 1, 2018 at 8:05 PM, Nikolay Izhikov wrote: > Hell, Dima! > > Thank you for document! > > I'm ready to implement this feature with you. > > Igniters

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hell, Dima! Thank you for document! I'm ready to implement this feature with you. Igniters, please, share you thoughts about proposed design [1] https://1drv.ms/w/s!AqZdfua4UpmuhneoVhOCiXSUBGIf В Чт, 01/03/2018 в 15:46 +0300, Дмитрий Рябов пишет: > Hello, Igniters! > > I investigated the issu

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hello, Igniters! I investigated the issue and wrote some details in a draft document [1]. I think we should made IEP for TDE because it is a big change and should be described in a single place, but not in a message conversation. Please, look it and write your thoughts. What is not understandable,

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi Igniters, Encryption will ensure security only if keys are stored in a secure storage. Otherwise having access to Ignite node storage, we can extract encryption master keys values and read data as plain text (page's clear content). Where are we going to store keys (MEK) physically? Whould it b

Re: Transparent Data Encryption (TDE) in Apache Ignite

Hi, Igniters! I think it would be nice to implement encryption in Ignite. Even SQLite and H2 have encryption so why Ignite don't have it? I'd like to propose a design for discussion. Configurations: IgniteConfiguration: - KeyStore tdeKeyStore - contain encryption keys. - Encryptor encryptor - int

Re: Transparent Data Encryption (TDE) in Apache Ignite

No, we don't have plans for it. Sergi 2017-06-26 14:20 GMT+03:00 Vyacheslav Daradur : > Sergi, thanks for the answer. > > >> see TDE is just an option for PCI DSS compliancy but not a requirement. > Requirement: "Protect stored cardholder data" > Encryption is required. > TDE - is one of ways to

Re: Transparent Data Encryption (TDE) in Apache Ignite

Sergi, thanks for the answer. >> see TDE is just an option for PCI DSS compliancy but not a requirement. Requirement: "Protect stored cardholder data" Encryption is required. TDE - is one of ways to implement it at the database level. Sure, an implementation at the application level solve it. I

Re: Transparent Data Encryption (TDE) in Apache Ignite

I think no one is interested in this stuff right now. Also as far as I see TDE is just an option for PCI DSS compliancy but not a requirement. Your system should pass PCI DSS if you will do the required encryption at the application level and will properly manage encryption keys. Sergi 2017-06-

Re: Transparent Data Encryption (TDE) in Apache Ignite

Guys, any thoughts? 2017-06-20 11:02 GMT+03:00 Vyacheslav Daradur : > Hi Igniters. > > I have some user cases where I need fast storage with TDE support. > It is requered for PCI DSS certification. > > As far as I know AI doesn't support it. > > I looked at other storages. > Many storages support

Transparent Data Encryption (TDE) in Apache Ignite

Hi Igniters. I have some user cases where I need fast storage with TDE support. It is requered for PCI DSS certification. As far as I know AI doesn't support it. I looked at other storages. Many storages support it or are engaged in development this feature. Cassandra community are working on T