Transparent Data Encryption

Overview

Transparent data encryption (TDE) allows users to encrypt their data at rest.

When Ignite persistence is turned on, all data in the cluster will be encrypted, including:

Data on disk
Data snapshots
RAFT log
Meta storage

If you enable cluster encryption, the cluster will generate a data encryption key and will use this key to encrypt/decrypt the data. This key is held in the internal memory and cannot be accessed by users. When the cluster needs save it to disk (for example, when the node goes down), it is encrypted by using the user-provided key — the key encryption key.

The key encryption key provider must be specified in the cluster configuration.

Key Generation Example

A keystore with a key can be created by using keytool:

Key Generation Example

user:~/tmp:[]$ keytool -genseckey \
-alias ignite.key \
-keystore ./ignite_keystore.jks \
-storetype PKCS12 \
-keyalg aes \
-storepass mypassw0rd \
-keysize 256

user:~/tmp:[]$ keytool \
-storepass mypassw0rd \
-storetype PKCS12 \
-keystore ./ignite_keystore.jks \
-list

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

ignite.key, 12.01.2020, SecretKeyEntry,

The generated keystore can be provided to the cluster as

Configuration

GridGain 9 supports two types of encryption providers: Java keystore (.jks or .p12 files) and AWS KMS.

Keystore Configuration

To enable encryption in the cluster, specify the path to your keystore in the cluster configuration by using the CLI tool.

{
    "ignite" : {
        "encryption" : {
            "enabled" : true,
            "activeProvider" : "keystore",
            "providers" : [{
                "name" : "keystore",
                "type" : "keystore",
                "keyStoreType" : "PKCS12",
                "path" : "/var/gridgain/keystore.jks",
                "password" : "mypassword",
                "activeKeyName" : "ignite.key",
                "cipher" : "AES/CBC/PKCS5Padding"
            }]
        }
    }
}

Property Name Default Description

Property Name	Default	Description
enabled	false	Determines if data encryption is enabled on the cluster.
activeProvider		The name of the currently used provider.
providers.keyStoreType	PKCS12	Type of the keystore.
providers.name		Name of the provider. This name is used in the `activeProvider` field.
providers.password		Password for opening the keystore and extracting the active key.
providers.path		The path to the keystore file.
providers.activeKeyName		Name or alias for the active key.
providers.cipher	AES/CBC/PKCS5Padding	The algorithm used to encrypt DEK keys. Once set, this value cannot be changed for the provider. Supported algorithms: AES Chacha20 Supported modes: CBC GCM CTR OFB ECB CFB8 Supported paddings: NoPadding PKCS5Padding ISO10126Padding

enabled

false

Determines if data encryption is enabled on the cluster.

activeProvider

The name of the currently used provider.

providers.keyStoreType

PKCS12

Type of the keystore.

providers.name

Name of the provider. This name is used in the activeProvider field.

providers.password

Password for opening the keystore and extracting the active key.

providers.path

The path to the keystore file.

providers.activeKeyName

Name or alias for the active key.

providers.cipher

AES/CBC/PKCS5Padding

The algorithm used to encrypt DEK keys. Once set, this value cannot be changed for the provider.

Supported algorithms:

AES
Chacha20

Supported modes:

CBC
GCM
CTR
OFB
ECB
CFB8

Supported paddings:

NoPadding
PKCS5Padding
ISO10126Padding

AWS KMS Configuration

The following example shows how to configure AWS KMS provider.

{
    "ignite" : {
        "encryption" : {
            "enabled" : true,
            "activeProvider" : "aws",
            "providers" : [{
                "name" : "aws",
                "type" : "aws_kms",
                "keyId" : "95e6cab1-2f34-47a9-8a79-52b3b3b79352"
            }]
        }
    }
}

You also need to set the following properties for each node:

aws.accessKeyId
aws.secretAccessKey
aws.region

This can be done via environment variables, credentials file, or any other method that the AWS SDK supports. For more details, refer to the AWS documentation.

Key Rotation

You may need to change the encryption key at the end of your key’s validity period, or if the currently used key is compromised.

To change the key, first create a new provider with a different key in the cluster configuration. The example below is in the JSON format.

{
    "ignite" : {
        "encryption" : {
            "enabled" : true,
            "activeProvider" : "keystore",
            "providers" : [{
                "name" : "otherKeystore",
                "type" : "keystore",
                "keyStoreType" : "PKCS12",
                "path" : "/var/gridgain/keystore_new.jks",
                "password" : "newPass",
                "activeKeyName" : "ignite.key.new",
                "cipher" : "AES/CBC/PKCS5Padding"
            },{
                "name" : "keystore",
                "type" : "keystore",
                "keyStoreType" : "PKCS12",
                "path" : "/var/gridgain/keystore.jks",
                "password" : "mypassword",
                "activeKeyName" : "ignite.key",
                "cipher" : "AES/CBC/PKCS5Padding"
            }]
        }
    }
}

Then, change the currently used provider to a provider with the new key.

© 2025 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.

Last updated on Oct 29, 2025