Package org.apache.ignite

Interface IgniteEncryption

  • public interface IgniteEncryption
    Defines encryption features.

    Ignite provides Transparent Data Encryption of cache data on disk. Encryption features are provided by EncryptionSpi and can be configured via IgniteConfiguration.setEncryptionSpi(EncryptionSpi). Cache encryption can be enabled via CacheConfiguration.setEncryptionEnabled(boolean).

    Instance of IgniteEncryption is obtained from Ignite as follows: 

     Ignite ignite = Ignition.ignite();

 IgniteEncryption encryption = ignite.encryption();
    Two types of keys are involved in data encryption: group and master keys.

    Group key encrypts data of cache group caches. Each group key is encrypted by the master key. Encrypted group key and encrypted data are written to disk.

    Ignite provides the ability to change the master key. Master keys are identified by a name (see EncryptionSpi.getMasterKeyName()). Follow operations are available for master key:

    • Method Detail

      • getMasterKeyName

        String getMasterKeyName()
        Gets the current master key name.
        Returns:
        Master key name.

      • changeMasterKey

        IgniteFuture<Void> changeMasterKey​(String masterKeyName)
        Starts master key change process.

        Each node will re-encrypt group keys stored on the disk.

        NOTE: The new master key should be available to EncryptionSpi for each server node. Cache start and node join during the key change process is prohibited and will be rejected.

        If some node was unavailable during a master key change process it won't be able to join to cluster with the old master key. The node should re-encrypt group keys during recovery on startup. The actual master key name should be set via IgniteSystemProperties.IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP.

        Parameters:
        masterKeyName - Name of the master key.
        Returns:
        Future for this operation.

      • changeCacheGroupKey

        IgniteFuture<Void> changeCacheGroupKey​(Collection<String> cacheOrGrpNames)
        Starts cache group encryption key change process.

        NOTE: Node join is rejected during rotation of cache group encryption key. Background re-encryption of existing data in the specified cache group(s) begins after the encryption key(s) is changed. During re-encryption, node join is not rejected, the cluster remains fully functional, it is fault-tolerant operation that automatically continues after restart. Secondary rotation of the encryption key of a cache group is only possible after background re-encryption of existing data in this cache group is completed.

        Parameters:
        cacheOrGrpNames - Cache or group names.
        Returns:
        Future which will be completed when new encryption key(s) are set for writing on all nodes in the cluster and re-encryption of existing cache data is initiated.