Master key rotation
Master key encrypts cache keys. Encrypted cache keys are stored on the disk. To learn more see the Transparent Data Encryption page.
Ignite 2.9 introduces the master key change process. It allows users to switch Ignite to the new master key with re-encrypting cache keys.
Master key rotation is required if it has been compromised or at the end of the crypto period (key validity period).
A new master key should be available to
EncryptionSpi for each server node. The cluster should be active.
Master keys are identified by name. When the cluster starts for the first time, the master key name from the configuration will be used. See TDE Configuration.
Nodes save the master key name to the disk (local
MetaStorage) on the first cluster activation and each master key change. If some node restarts, it will use the master key name from the local
Changing master key
|Cache start and node join during the key change process is prohibited and will be rejected.|
Ignite provides the ability to change the master key from the following interfaces:
Command line tool
Ignite ships a
control.sh|bat script, located in the
$IGNITE_HOME/bin folder, that acts like a tool to manage the master key change process from the command line. The following commands can be used with
# Print the current master key name. control.sh|bat --encryption get_master_key_name # Change the master key. control.sh|bat --encryption change_master_key newMasterKeyName
You can also manage the master key change process via the
Gets the current master key name.
Starts master key change process.
The master key change process can be managed programmatically:
// Gets the current master key name. String name = ignite.encryption().getMasterKeyName(); // Starts master key change process. IgniteFuture<Void> future = ignite.encryption().changeMasterKey("newMasterKeyName");
Recovery of the master key on failing node
If some node is unavailable during a master key change process it won’t be able to join to the cluster with the old master key. The node should re-encrypt local group keys during recovery on startup. The actual master key name should be set via
IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP system property before the node starts. The node saves the key name to the local
MetaStorage when the cluster is active.
|It is recommended to delete system property after a successful recovery. Otherwise, the invalid master key name can be used when the node restarts.|
Additional master key generation example
Ignite comes with the
KeystoreEncryptionSpi based on JDK provided cipher algorithm implementations. See keystore master key generation example. An additional master key can be generated using the
keytool as follows:
user:~/tmp:$ keytool \ -storepass mypassw0rd \ -storetype PKCS12 \ -keystore ./ignite_keystore.jks \ -list Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry ignite.master.key, 15.01.2019, SecretKeyEntry, user:~/tmp:$ keytool -genseckey \ -alias ignite.master.key2 \ -keystore ./ignite_keystore.jks \ -storetype PKCS12 \ -keyalg aes \ -storepass mypassw0rd \ -keysize 256 user:~/tmp:$ keytool \ -storepass mypassw0rd \ -storetype PKCS12 \ -keystore ./ignite_keystore.jks \ -list Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 2 entries ignite.master.key, 15.01.2019, SecretKeyEntry, ignite.master.key2, 15.01.2019, SecretKeyEntry,
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.