[jira] [Commented] (CASSANDRA-14102) Vault support for transparent data encryption

Tue, 19 Dec 2017 00:53:52 -0800 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16296472#comment-16296472
 ] 

Stefan Podkowinski commented on CASSANDRA-14102:
------------------------------------------------

I think the whole life-cycle handling of {{EncryptionContext}} and 
{{CipherFactory}} could need a review along with this patch as well. Each hint 
file and commitlog segment will need to instantiate it's own EncryptionContext 
before it can be decrypted, see {{EncryptionContext.createFromMap}}. This will 
also imply to create a new CipherFactory, including a dedicated caffeine cache 
and expensive reflection based configuration and {{KeyProvider}} construction. 
I'm also not sure that we really keep the KeyProvider contract: _"Further, each 
key will be requested non-concurrently (that is, no stampeding herds for the 
same key), although unique keys may be requested concurrently (unless you mark 
@code getSecretKey synchronized)."_ If we create 100x EncryptionContext 
instances there will be just that much key requests against Vault or any other 
implementation. 

> Vault support for transparent data encryption
> ---------------------------------------------
>
>                 Key: CASSANDRA-14102
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14102
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Stefan Podkowinski
>            Assignee: Stefan Podkowinski
>              Labels: encryption
>             Fix For: 4.x
>
>
> Transparent data encryption provided by CASSANDRA-9945 can currently be used 
> for commitlog and hints. The default {{KeyProvider}} implementation that we 
> ship allows to use a local keystore for storing and retrieving keys. Thanks 
> to the pluggable handling of the {{KeyStore}} provider and basic Vault 
> related classes introduced in CASSANDRA-13971, a Vault based implementation 
> can be provided as {{KeyProvider}} as well. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to