Re: IEP-18: Transparent Data Encryption

Hi Nikolay, Good rule of thumb here - the more design is discussed prior to implementation, the better. There is no specific definition of well- or ill-defined design, this is more about common sense and our general experience. I would say that minimal set of things to be addressed for most major

Re: IEP-18: Transparent Data Encryption

Hello, Vladimir. > community is not aware of concrete architecture and proposed public API Concrete architecture is described in IEP-18 [1]. Please, tell me, what else you want to be written. I think answers to all questions have to be addressed(and discussed with community!) when we crack

Re: IEP-18: Transparent Data Encryption

Hi Nikolay, I noticed that some tickets have been created for this feature. Hopefully, you haven't started implementation yet, because at this point community is not aware of concrete architecture and proposed public API. We need to continue discussion and come up with detailed design. Of most

Re: IEP-18: Transparent Data Encryption

Hi NIkolay, Regarding system caches, rule of thumb here - do not use them. Keys should be stored near cache. As far as password: 1) Oracle auto-login wallet [1] 2) MySQL- password may be set inside configuration [2] I do not think that any kind of prompts are needed here out of the box. May be

Re: IEP-18: Transparent Data Encryption

Hi Nikolay, I would like to look to IEP. Please give me couple days. Sincerely, Dmitriy Pavlov пн, 9 апр. 2018 г. в 20:11, Nikolay Izhikov : > Hello, Igniters. > > I'm going to create tickets and start implementation of TDE in a few days. > > Any objections? > > В Пн,

Re: IEP-18: Transparent Data Encryption

Hello, Igniters. I'm going to create tickets and start implementation of TDE in a few days. Any objections? В Пн, 09/04/2018 в 17:55 +0300, Nikolay Izhikov пишет: > Hello, Denis > > > Is it necessary to have CEP keys for every cache? > > With current design, It's necessary to have difference

Re: IEP-18: Transparent Data Encryption

Hello, Denis > Is it necessary to have CEP keys for every cache? With current design, It's necessary to have difference CEK for every encrypted cache. I don't this it's an issue because CEK should be generated automatically and stored internally in Ignite. Cluster administrator should manage

Re: IEP-18: Transparent Data Encryption

Hello, Vladimir. > 1) Why do you propose to store CEK in separate cache? All CEKs data should be available on all cluster nodes. We want to use system cache to get data synchronization feature "for free". > We consider storing any metadata in system caches as antipattern from our > previous

Re: IEP-18: Transparent Data Encryption

Hi Nikolay, First of all thank you for excellent summary. Two-tiered key management is well respected technique and makes perfect sense to me. However, several questions regarding architecture arises: 1) Why do you propose to store CEK in separate cache? We consider storing any metadata in system

Re: IEP-18: Transparent Data Encryption

Nikolay, Dmitriy R., Thanks for the research and for writing down a summary in the IEP form. Please answer several high-level questions: - Is it necessary to have CEP keys for every cache? Not sure how all the keys will be managed if the user wants to encrypt 10-100 caches. Is it

Re: IEP-18: Transparent Data Encryption

Here is a correct link to IEP: https://cwiki.apache.org/confluence/display/IGNITE/IEP-18%3A+Transparent+Data+Encryption On Thu, Apr 5, 2018 at 12:01 PM, Nikolay Izhikov wrote: > Hello, Igniters. > > Based on previous discussion [1] we've created "IEP-18: Transparent Data >