Transparent Data Encryption
Overview
Transparent data encryption (TDE) allows users to encrypt their data at rest.
When Ignite persistence is turned on, all data in the cluster will be encrypted, including:
-
Data on disk
-
RAFT log
-
Meta storage
If you enable cluster encryption, the cluster will generate a data encryption key and will use this key to encrypt/decrypt the data. This key is held in the internal memory and cannot be accessed by users. When the cluster needs save it to disk (for example, when the node goes down), it is encrypted by using the user-provided key — the key encryption key.
The key encryption key provider must be specified in the cluster configuration.
Key Generation Example
A keystore with a key can be created by using keytool:
user:~/tmp:[]$ keytool -genseckey \
-alias ignite.key \
-keystore ./ignite_keystore.jks \
-storetype PKCS12 \
-keyalg aes \
-storepass mypassw0rd \
-keysize 256
user:~/tmp:[]$ keytool \
-storepass mypassw0rd \
-storetype PKCS12 \
-keystore ./ignite_keystore.jks \
-list
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
ignite.key, 12.01.2020, SecretKeyEntry,The generated keystore can be provided to the cluster as
Configuration
To enable encryption in the cluster, specify the path to your keystore in the cluster configuration by using the CLI tool.
{
"ignite" : {
"encryption" : {
"enabled" : true,
"activeProvider" : "keystore",
"providers" : [{
"name" : "keystore",
"type" : "keystore",
"keyStoreType" : "PKCS12",
"path" : "/var/gridgain/keystore.jks",
"password" : "mypassword",
"activeKeyName" : "ignite.key"
}]
}
}
}| Property Name | Default | Description |
|---|---|---|
enabled |
false |
Determines if data encryption is enabled on the cluster. |
activeProvider |
The name of the currently used provider. |
|
providers.keyStoreType |
PKCS12 |
Type of the keystore. |
providers.name |
Name of the provider. This name is used in the |
|
providers.password |
Password for opening the keystore and extracting the active key. |
|
providers.path |
The path to the keystore file. |
|
providers.activeKeyName |
Name or alias for the active key. |
Key Rotation
You may need to change the encryption key at the end of your key’s validity period, or if the currently used key is compromised.
To change the key, first create a new provider with a different key in the cluster configuration. The example below is in the JSON format.
{
"ignite" : {
"encryption" : {
"enabled" : true,
"activeProvider" : "keystore",
"providers" : [{
"name" : "otherKeystore",
"type" : "keystore",
"keyStoreType" : "PKCS12",
"path" : "/var/gridgain/keystore_new.jks",
"password" : "newPass",
"activeKeyName" : "ignite.key.new"
},{
"name" : "keystore",
"type" : "keystore",
"keyStoreType" : "PKCS12",
"path" : "/var/gridgain/keystore.jks",
"password" : "mypassword",
"activeKeyName" : "ignite.key"
}]
}
}
}Then, change the currently used provider to a provider with the new key.
© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.