public interface IgniteEncryption
Ignite provides Transparent Data Encryption of cache data on disk. Encryption features are provided by EncryptionSpi
and can be configured via IgniteConfiguration.setEncryptionSpi(EncryptionSpi)
. Cache
encryption can be enabled via CacheConfiguration.setEncryptionEnabled(boolean)
.
Instance of IgniteEncryption
is obtained from Ignite
as follows:
Ignite ignite = Ignition.ignite(); IgniteEncryption encryption = ignite.encryption();Two types of keys are involved in data encryption: group and master keys.
Group key encrypts data of cache group caches. Each group key is encrypted by the master key. Encrypted group key and encrypted data are written to disk.
Ignite provides the ability to change the master key. Master keys are identified by a name (see EncryptionSpi.getMasterKeyName()
). Follow operations are available for master key:
getMasterKeyName()
gets current master key name in the cluster.changeMasterKey(String)
()} starts master key change process.Modifier and Type | Method and Description |
---|---|
IgniteFuture<Void> |
changeCacheGroupKey(Collection<String> cacheOrGrpNames)
Starts cache group encryption key change process.
|
IgniteFuture<Void> |
changeMasterKey(String masterKeyName)
Starts master key change process.
|
String |
getMasterKeyName()
Gets the current master key name.
|
String getMasterKeyName()
IgniteFuture<Void> changeMasterKey(String masterKeyName)
Each node will re-encrypt group keys stored on the disk.
NOTE: The new master key should be available to EncryptionSpi
for each server node. Cache start
and node join during the key change process is prohibited and will be rejected.
If some node was unavailable during a master key change process it won't be able to join to cluster with the old
master key. The node should re-encrypt group keys during recovery on startup. The actual master key
name should be set via IgniteSystemProperties.IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP
.
masterKeyName
- Name of the master key.IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGrpNames)
NOTE: Node join is rejected during rotation of cache group encryption key. Background re-encryption of existing data in the specified cache group(s) begins after the encryption key(s) is changed. During re-encryption, node join is not rejected, the cluster remains fully functional, it is fault-tolerant operation that automatically continues after restart. Secondary rotation of the encryption key of a cache group is only possible after background re-encryption of existing data in this cache group is completed.
cacheOrGrpNames
- Cache or group names.
Follow @ApacheIgnite
Ignite Database and Caching Platform : ver. 2.16.0 Release Date : December 15 2023