Hi Nikolay, I'll take a look at the nearest time.
On Sat, Jun 9, 2018 at 6:14 PM, Nikolay Izhikov <nizhi...@apache.org> wrote: > Hello, guys. > > I've implement prototype of TDE implementation [1] > Vladimir, can you do some prereview of this prototype? > Any feedback on public API or any other part of implementation are welcome. > > I have several questions I want to discuss. > > 1. Right place for a cache(data) key: > > Currently, all options that controls data persistence located in > DataStorageConfiguration > And TDE design propose to store key for a cache encryption in > Cache Metadata. > > We can store cache key in Cache Metadata(I already implemented it > in prototype). > But, wouldn't it be more convenient to have encrypted DataRegion, > so all caches that use encrypted DataRegion will become encrypted? > > 2. Encryption key for a WAL. > > Should we use separate key for a WAL encryption? > If we want to use cache keys for a WAL encryption it adds some > difficulties to implement: > > 1. We should add cacheId for each encrypted record to have > possibility to decrypt it. > 2. We can't decrypt Wal record if cache was destroyed > after record creation. > > Thoughts? > > Prototype restrictions: > > Currently, size of encrypted data should be equal to clear data because > FilaPageStore checks it on file validation. > Actually, AES CBC algorithm discussed in IEP adds some extra bytes to > encrypted data. > So, I plan to implement possibility to enhance page size on FilePageStore > level in a few days. > > [1] https://github.com/apache/ignite/pull/4167
