[ https://issues.apache.org/jira/browse/IGNITE-12843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pavel Pereslegin updated IGNITE-12843: -------------------------------------- Fix Version/s: 2.10 > TDE Phase-3. Cache key rotation. > -------------------------------- > > Key: IGNITE-12843 > URL: https://issues.apache.org/jira/browse/IGNITE-12843 > Project: Ignite > Issue Type: Sub-task > Reporter: Pavel Pereslegin > Assignee: Pavel Pereslegin > Priority: Major > Labels: IEP-18 > Fix For: 2.10 > > Time Spent: 10m > Remaining Estimate: 0h > > Add the ability to rotate (change) the cache group encryption key. > The design is described here: > [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=95652384#TDE.Phase3.Cachekeyrotation.-Description] > h3. Additional notes about binary format changes. > h4. PageMetaIO and PagePartitionMetaIO format > Reencryption status requires an additional 8 bytes on the meta page of each > partition. > Index partition uses PageMetaIO to read/write meta information. > Each other partition uses PagePartitionMetaIO to read/write meta information. > Partition meta starts just after the end of the page meta. > To store additional 8 bytes partition meta shifted by 8 bytes. > WAL delta records have also been modified to store reencryption status. > h4. Encrypted page format > Each encrypted page has reserved free space to store CRC of encrypted data. > The size of this free space depends on the size of the encryption block, but > cannot be less than 8 bytes (Ignite default encryption implementation > (KeystoreEncryptionSpi) uses AES with 16 bytes block size). > Added 1 byte for encryption key ID on each encrypted page (after CRC). > (WAL records ENCRYPTED_RECORD and ENCRYPTED_DATA_RECORD have been changed > accordingly) -- This message was sent by Atlassian Jira (v8.3.4#803005)