Hello Nikolay, This is a great news!
Vladimir O., as far as I understand you will be reviewing the contribution, won't you? -- Denis On Fri, Jul 27, 2018 at 5:16 AM Nikolay Izhikov <nizhi...@apache.org> wrote: > Hello, Igniters. > > TDE. Phase 1 [1] is ready for review [2]. > > I meet some corner cases during development I want to describe: > > 1. Creation of Cache Group Encryption Keys: > > 1.1. To build cache create request we has to create Cache Group > Encryption Key. > 1.2. To create Cache Group Encryption Key we must have Master > Encryption Key. > 1.3. It's required to have Master Encryption Key only on server > nodes. > 1.4. So, there is no way to generate cache create request for an > encrypted cache on client node. > > I see two possible solution: > 1. Create Cache Group Encryption Key on coordinator and > send it to all server nodes. > 2. Send all params for cache creation to some server node. > Server node will execute regular cache creation on receiving request. > > I propose to postpone this task and disallow creation of encrypted > cache from client node on first iteration. > > 2. Encryption of pages: > > 2.1 To gain maximum performance from HDD(SSD) we made page size > size of 2(2Kb, 4Kb, etc.) > 2.2 AES CBC mode requires additional 32 bytes. 16 bytes for a > random initialization vector. 16 bytes for a padding information. > 2.3 If we encrypt whole page it size increases to 32 bytes. > > To fit exactly "power of two" size when writing a page I apply > next solution: > > I don't use 32 bytes in the end of each page for encrypted cache. > So, on write time 32 bytes encryption overhead added and overall > data size fits config page size. > > Please, share you thoughts. > > [1] https://issues.apache.org/jira/browse/IGNITE-8485 > [2] https://github.com/apache/ignite/pull/4167 > [3] > https://cwiki.apache.org/confluence/display/IGNITE/IEP-18%3A+Transparent+Data+Encryption > [4] > http://apache-ignite-developers.2346864.n4.nabble.com/Transparent-Data-Encryption-TDE-in-Apache-Ignite-td18957.html
