Another comment here. I tried to find the patch to check but couldn’t find it linked to the ticket. If it is not already, given the TDE key class is pluggable in the yaml, when a file is written everything need to instantiate the class to decrypt it should be in the metadata. Just like happens now for compression. So if someone switches to a different TDE class you can still know to instantiate the old one to read existing files. The class from the yaml config should just be used for encrypting new files.
> On Nov 14, 2021, at 3:54 PM, Stefan Miklosovic > <stefan.mikloso...@instaclustr.com> wrote: > > Hey, > > there are two points we are not completely sure about. > > The first one is streaming. If there is a cluster of 5 nodes, each > node has its own unique encryption key. Hence, if a SSTable is stored > on a disk with the key for node 1 and this is streamed to node 2 - > which has a different key - it would not be able to decrypt that. Our > idea is to actually send data over the wire _decrypted_ however it > would be still secure if internode communication is done via TLS. Is > this approach good with you? > > The second question is about key rotation. If an operator needs to > roll the key because it was compromised or there is some policy around > that, we should be able to provide some way to rotate it. Our idea is > to write a tool (either a subcommand of nodetool (rewritesstables) > command or a completely standalone one in tools) which would take the > first, original key, the second, new key and dir with sstables as > input and it would literally took the data and it would rewrite it to > the second set of sstables which would be encrypted with the second > key. What do you think about this? > > Regards > >> On Sat, 13 Nov 2021 at 19:35, <sc...@paradoxica.net> wrote: >> >> Same reaction here - great to have traction on this ticket. Shylaja, thanks >> for your work on this and to Stefan as well! It would be wonderful to have >> the feature complete. >> >> One thing I’d mention is that a lot’s changed about the project’s testing >> strategy since the original patch was written. I see that the 2016 version >> adds a couple round-trip unit tests with a small amount of static data. It >> would be good to see randomized tests fleshed out that exercise more of the >> read/write path; or which add variants of existing read/write path tests >> that enable encryption. >> >> – Scott >> >>>> On Nov 13, 2021, at 7:53 AM, Brandon Williams <dri...@gmail.com> wrote: >>> >>> We already have a ticket and this predated CEPs, and being an >>> obviously good improvement to have that many have been asking for for >>> some time now, I don't see the need for a CEP here. >>> >>> On Sat, Nov 13, 2021 at 5:01 AM Stefan Miklosovic >>> <stefan.mikloso...@instaclustr.com> wrote: >>>> >>>> Hi list, >>>> >>>> an engineer from Intel - Shylaja Kokoori (who is watching this list >>>> closely) has retrofitted the original code from CASSANDRA-9633 work in >>>> times of 3.4 to the current trunk with my help here and there, mostly >>>> cosmetic. >>>> >>>> I would like to know if there is a general consensus about me going to >>>> create a CEP for this feature or what is your perception on this. I >>>> know we have it a little bit backwards here as we should first discuss >>>> and then code but I am super glad that we have some POC we can >>>> elaborate further on and CEP would just cement and summarise the >>>> approach / other implementation aspects of this feature. >>>> >>>> I think that having 9633 merged will fill quite a big operational gap >>>> when it comes to security. There are a lot of enterprises who desire >>>> this feature so much. I can not remember when I last saw a ticket with >>>> 50 watchers which was inactive for such a long time. >>>> >>>> Regards >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >>>> For additional commands, e-mail: dev-h...@cassandra.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >>> For additional commands, e-mail: dev-h...@cassandra.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
