Hello, guys. I've implement prototype of TDE implementation [1] Vladimir, can you do some prereview of this prototype? Any feedback on public API or any other part of implementation are welcome.
I have several questions I want to discuss.
1. Right place for a cache(data) key:
Currently, all options that controls data persistence located in
DataStorageConfiguration
And TDE design propose to store key for a cache encryption in Cache
Metadata.
We can store cache key in Cache Metadata(I already implemented it in
prototype).
But, wouldn't it be more convenient to have encrypted DataRegion, so
all caches that use encrypted DataRegion will become encrypted?
2. Encryption key for a WAL.
Should we use separate key for a WAL encryption?
If we want to use cache keys for a WAL encryption it adds some
difficulties to implement:
1. We should add cacheId for each encrypted record to have
possibility to decrypt it.
2. We can't decrypt Wal record if cache was destroyed after
record creation.
Thoughts?
Prototype restrictions:
Currently, size of encrypted data should be equal to clear data because
FilaPageStore checks it on file validation.
Actually, AES CBC algorithm discussed in IEP adds some extra bytes to encrypted
data.
So, I plan to implement possibility to enhance page size on FilePageStore level
in a few days.
[1] https://github.com/apache/ignite/pull/4167
signature.asc
Description: This is a digitally signed message part
