[ https://issues.apache.org/jira/browse/CASSANDRA-14102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16296472#comment-16296472 ]
Stefan Podkowinski commented on CASSANDRA-14102: ------------------------------------------------ I think the whole life-cycle handling of {{EncryptionContext}} and {{CipherFactory}} could need a review along with this patch as well. Each hint file and commitlog segment will need to instantiate it's own EncryptionContext before it can be decrypted, see {{EncryptionContext.createFromMap}}. This will also imply to create a new CipherFactory, including a dedicated caffeine cache and expensive reflection based configuration and {{KeyProvider}} construction. I'm also not sure that we really keep the KeyProvider contract: _"Further, each key will be requested non-concurrently (that is, no stampeding herds for the same key), although unique keys may be requested concurrently (unless you mark @code getSecretKey synchronized)."_ If we create 100x EncryptionContext instances there will be just that much key requests against Vault or any other implementation. > Vault support for transparent data encryption > --------------------------------------------- > > Key: CASSANDRA-14102 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14102 > Project: Cassandra > Issue Type: New Feature > Reporter: Stefan Podkowinski > Assignee: Stefan Podkowinski > Labels: encryption > Fix For: 4.x > > > Transparent data encryption provided by CASSANDRA-9945 can currently be used > for commitlog and hints. The default {{KeyProvider}} implementation that we > ship allows to use a local keystore for storing and retrieving keys. Thanks > to the pluggable handling of the {{KeyStore}} provider and basic Vault > related classes introduced in CASSANDRA-13971, a Vault based implementation > can be provided as {{KeyProvider}} as well. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org