[
https://issues.apache.org/jira/browse/IGNITE-12843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pavel Pereslegin updated IGNITE-12843:
--------------------------------------
Fix Version/s: 2.10
> TDE Phase-3. Cache key rotation.
> --------------------------------
>
> Key: IGNITE-12843
> URL: https://issues.apache.org/jira/browse/IGNITE-12843
> Project: Ignite
> Issue Type: Sub-task
> Reporter: Pavel Pereslegin
> Assignee: Pavel Pereslegin
> Priority: Major
> Labels: IEP-18
> Fix For: 2.10
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Add the ability to rotate (change) the cache group encryption key.
> The design is described here:
> [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Description]
> h3. Additional notes about binary format changes.
> h4. PageMetaIO and PagePartitionMetaIO format
> Reencryption status requires an additional 8 bytes on the meta page of each
> partition.
> Index partition uses PageMetaIO to read/write meta information.
> Each other partition uses PagePartitionMetaIO to read/write meta information.
> Partition meta starts just after the end of the page meta.
> To store additional 8 bytes partition meta shifted by 8 bytes.
> WAL delta records have also been modified to store reencryption status.
> h4. Encrypted page format
> Each encrypted page has reserved free space to store CRC of encrypted data.
> The size of this free space depends on the size of the encryption block, but
> cannot be less than 8 bytes (Ignite default encryption implementation
> (KeystoreEncryptionSpi) uses AES with 16 bytes block size).
> Added 1 byte for encryption key ID on each encrypted page (after CRC).
> (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed
> accordingly)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
