GridGain Developers Hub

Transparent Data Encryption

Overview

Transparent data encryption (TDE) allows users to encrypt their data at rest.

When Ignite persistence is turned on, all data in the cluster will be encrypted, including:

If you enable cluster encryption, the cluster will generate a data encryption key and will use this key to encrypt/decrypt the data. This key is held in the internal memory and cannot be accessed by users. When the cluster needs save it to disk (for example, when the node goes down), it is encrypted by using the user-provided key — the key encryption key.

The key encryption key provider must be specified in the cluster configuration.

Key Generation Example

A keystore with a key can be created by using keytool:

Key Generation Example
user:~/tmp:[]$ keytool -genseckey \
-alias ignite.key \
-keystore ./ignite_keystore.jks \
-storetype PKCS12 \
-keyalg aes \
-storepass mypassw0rd \
-keysize 256

user:~/tmp:[]$ keytool \
-storepass mypassw0rd \
-storetype PKCS12 \
-keystore ./ignite_keystore.jks \
-list

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

ignite.key, 12.01.2020, SecretKeyEntry,

The generated keystore can be provided to the cluster as

Configuration

GridGain 9 supports two types of encryption providers: Java keystore (.jks or .p12 files) and AWS KMS.

Keystore Configuration

To enable encryption in the cluster, specify the path to your keystore in the cluster configuration by using the CLI tool.

{
    "ignite" : {
        "encryption" : {
            "enabled" : true,
            "activeProvider" : "keystore",
            "providers" : [{
                "name" : "keystore",
                "type" : "keystore",
                "keyStoreType" : "PKCS12",
                "path" : "/var/gridgain/keystore.jks",
                "password" : "mypassword",
                "activeKeyName" : "ignite.key",
                "cipher" : "AES/CBC/PKCS5Padding"
            }]
        }
    }
}
Property Name Default Description

enabled

false

Determines if data encryption is enabled on the cluster.

activeProvider

The name of the currently used provider.

providers.keyStoreType

PKCS12

Type of the keystore.

providers.name

Name of the provider. This name is used in the activeProvider field.

providers.password

Password for opening the keystore and extracting the active key.

providers.path

The path to the keystore file.

providers.activeKeyName

Name or alias for the active key.

providers.cipher

AES/CBC/PKCS5Padding

The algorithm used to encrypt DEK keys. Once set, this value cannot be changed for the provider.

Supported algorithms:

  • AES

  • Chacha20

Supported modes:

  • CBC

  • GCM

  • CTR

  • OFB

  • ECB

  • CFB8

Supported paddings:

  • NoPadding

  • PKCS5Padding

  • ISO10126Padding

AWS KMS Configuration

The following example shows how to configure AWS KMS provider.

{
    "ignite" : {
        "encryption" : {
            "enabled" : true,
            "activeProvider" : "aws",
            "providers" : [{
                "name" : "aws",
                "type" : "aws_kms",
                "keyId" : "95e6cab1-2f34-47a9-8a79-52b3b3b79352"
            }]
        }
    }
}

You also need to set the following properties for each node:

  • aws.accessKeyId

  • aws.secretAccessKey

  • aws.region

This can be done via environment variables, credentials file, or any other method that the AWS SDK supports. For more details, refer to the AWS documentation.

Key Rotation

You may need to change the encryption key at the end of your key’s validity period, or if the currently used key is compromised.

To change the key, first create a new provider with a different key in the cluster configuration. The example below is in the JSON format.

{
    "ignite" : {
        "encryption" : {
            "enabled" : true,
            "activeProvider" : "keystore",
            "providers" : [{
                "name" : "otherKeystore",
                "type" : "keystore",
                "keyStoreType" : "PKCS12",
                "path" : "/var/gridgain/keystore_new.jks",
                "password" : "newPass",
                "activeKeyName" : "ignite.key.new",
                "cipher" : "AES/CBC/PKCS5Padding"
            },{
                "name" : "keystore",
                "type" : "keystore",
                "keyStoreType" : "PKCS12",
                "path" : "/var/gridgain/keystore.jks",
                "password" : "mypassword",
                "activeKeyName" : "ignite.key",
                "cipher" : "AES/CBC/PKCS5Padding"
            }]
        }
    }
}

Then, change the currently used provider to a provider with the new key.