Hello, guys. I've implement prototype of TDE implementation [1] Vladimir, can you do some prereview of this prototype? Any feedback on public API or any other part of implementation are welcome.
I have several questions I want to discuss. 1. Right place for a cache(data) key: Currently, all options that controls data persistence located in DataStorageConfiguration And TDE design propose to store key for a cache encryption in Cache Metadata. We can store cache key in Cache Metadata(I already implemented it in prototype). But, wouldn't it be more convenient to have encrypted DataRegion, so all caches that use encrypted DataRegion will become encrypted? 2. Encryption key for a WAL. Should we use separate key for a WAL encryption? If we want to use cache keys for a WAL encryption it adds some difficulties to implement: 1. We should add cacheId for each encrypted record to have possibility to decrypt it. 2. We can't decrypt Wal record if cache was destroyed after record creation. Thoughts? Prototype restrictions: Currently, size of encrypted data should be equal to clear data because FilaPageStore checks it on file validation. Actually, AES CBC algorithm discussed in IEP adds some extra bytes to encrypted data. So, I plan to implement possibility to enhance page size on FilePageStore level in a few days. [1] https://github.com/apache/ignite/pull/4167
signature.asc
Description: This is a digitally signed message part