Hi, Igniters. I'm going to implement the ability to rotate the master encryption key (TDE Phase 2). [1] Master key rotation required in case of it compromising or at the end of crypto period(key validity period). I prepared the design. [2]
In briefly, master keys will be identified by String masterKeyId. The concept of the masterKeyId will be added to the cache keys encryption process in EncryptionSpi. Users can configure master key id in IgniteConfiguration and will be able to manage the key rotation process from java API, JMX, CLI: - ignite.encryption().changeMasterKey(String masterKeyId) - starts master key rotation process. - String ignite.encryption().getMasterKeyId() - gets current master key id. Any thoughts? [1] https://issues.apache.org/jira/browse/IGNITE-12186 [2] https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652381 -- Best wishes, Amelchev Nikita
