Transparent Data Encryption

Overview

Transparent data encryption (TDE) allows users to encrypt their data at rest.

When Ignite persistence is turned on, all data in the cluster will be encrypted, including:

Data on disk
RAFT log
Meta storage

If you enable cluster encryption, the cluster will generate a data encryption key and will use this key to encrypt/decrypt the data. This key is held in the internal memory and cannot be accessed by users. When the cluster needs save it to disk (for example, when the node goes down), it is encrypted by using the user-provided key — the key encryption key.

The key encryption key provider must be specified in the cluster configuration.

Key Generation Example

A keystore with a key can be created by using keytool:

Key Generation Example

user:~/tmp:[]$ java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

user:~/tmp:[]$ keytool -genseckey \
-alias ignite.key \
-keystore ./ignite_keystore.jks \
-storetype PKCS12 \
-keyalg aes \
-storepass mypassw0rd \
-keysize 256

user:~/tmp:[]$ keytool \
-storepass mypassw0rd \
-storetype PKCS12 \
-keystore ./ignite_keystore.jks \
-list

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

ignite.key, 12.01.2020, SecretKeyEntry,

The generated keystore can be provided to the cluster as

Configuration

To enable encryption in the cluster, specify the path to your keystore in the cluster configuration by using the CLI tool.

encryption {
	enabled: true,
	activeProvider: keystore,
	providers: [{
        name: keystore,
        type: keystore,
        keyStoreType: PKCS12,
        path: /var/gridgain/keystore.jks,
        password: mypassw0rd,
        activeKeyName: ignite.key
    }]
}

Property Name Default Description

Property Name	Default	Description
enabled	false	Determines if data encryption is enabled on the cluster.
activeProvider		The name of the currently used provider.
providers.keyStoreType	PKCS12	Type of the keystore.
providers.name		Name of the provider. This name is used in the `activeProvider` field.
providers.password		Password for opening the keystore and extracting the active key.
providers.path		The path to the keystore file.
providers.activeKeyName		Name or alias for the active key.

enabled

false

Determines if data encryption is enabled on the cluster.

activeProvider

The name of the currently used provider.

providers.keyStoreType

PKCS12

Type of the keystore.

providers.name

Name of the provider. This name is used in the activeProvider field.

providers.password

Password for opening the keystore and extracting the active key.

providers.path

The path to the keystore file.

providers.activeKeyName

Name or alias for the active key.

Key Rotation

You may need to change the encryption key at the end of your key’s validity period, or if the currently used key is compromised.

To change the key, first create a new provider with a different key in the cluster configuration.

encryption {
	enabled: true,
	activeProvider: keystore,
	providers: [{
        name: otherKeystore,
        type: keystore,
        keyStoreType: PKCS12,
        path: /var/gridgain/keystore_new.jks,
        password: newPass,
        activeKeyName: ignite.key.new
    },{
        name: keystore,
        type: keystore,
        keyStoreType: PKCS12,
        path: /var/gridgain/keystore.jks,
        password: mypassw0rd,
        activeKeyName: ignite.key
    }]
}

Then, change the currently used provider to a provider with the new key.

© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.

Last updated on Jul 13, 2024