RFC: encryption at rest #19785
RFC: encryption at rest #19785
Conversation
|
This change is |
|
CCing a few people for specific sections: |
|
Review status: 0 of 1 files reviewed at latest revision, 1 unresolved discussion, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 557 at r1 (raw file):
Does it make sense to dynamically generate these keys in memory on each start? There's no need to persist them since the old data doesn't need to be read. That would remove some user burden. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 1 unresolved discussion, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 557 at r1 (raw file): Previously, mjibson (Matt Jibson) wrote…
As long as we don't need to persist the data through node restarts, that's an option. But if we already have keys we should be ok. As long as key reuse is acceptable (eg: not on the same disk as the keys). At this point I'm more concerned about finding all instances of local disk outside of the normal store rocksdb instance. Could you point me to some code? Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 3 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 718 at r1 (raw file):
s/does/does not/ ? docs/RFCS/20171101_encryption_at_rest.md, line 727 at r1 (raw file):
I assume we'd only check this during startup -- a running/happy node wouldn't suddenly stop serving non-system tables if it had been running just because the license was removed. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 3 unresolved discussions. docs/RFCS/20171101_encryption_at_rest.md, line 718 at r1 (raw file): Previously, dt (David Taylor) wrote…
oops. Done. docs/RFCS/20171101_encryption_at_rest.md, line 727 at r1 (raw file): Previously, dt (David Taylor) wrote…
Right, but startup can have its own errors. If you restart your entire cluster and cannot load the license, you would have the restrictions applied. I didn't define Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 3 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 557 at r1 (raw file): Previously, mberhault (marc) wrote…
We already delete this directory on shutdown/startup (or maybe just one of those?), so that is fine. Considering that this directory is now configurable to be outside of a store, using randomized keys seems like it would be nice because users wouldn't have yet another disk/key thing to worry about. The only temp engine I'm aware of is cockroach/pkg/server/server.go Line 325 in fac2215 Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 3 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 557 at r1 (raw file): Previously, mjibson (Matt Jibson) wrote…
Thanks, that should be easy. You're probably right about temporary keys, they would provide a nicely isolated way of doing it. I've added it to the RFC. Comments from Reviewable |
|
Reviewed 1 of 1 files at r2, 1 of 1 files at r4. Comments from Reviewable |
|
Seems very well thought out, though someone with more security chops should scrutinize. Review status: all files reviewed at latest revision, 5 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 748 at r4 (raw file):
You mention "key usage computation" here and elsewhere, but I didn't find where you define what that is and how the computation is performed. docs/RFCS/20171101_encryption_at_rest.md, line 796 at r4 (raw file):
Seems better to keep old data keys around for a long time than to accidentally delete them and possibly a lot of data. Even if we can accurately detect which data keys are in use, I'd suggest keeping an "old data keys" file that would be encrypted with the store key. Comments from Reviewable |
|
I agree. This is a fairly standard way of doing this but I'd like someone to take a look anyway. At the very least, we need to make sure we're aware of the security assumptions we're making (some are mentioned, but most likely not all) and flesh out the recommended configuration for users to use this safely. Review status: all files reviewed at latest revision, 5 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 748 at r4 (raw file): Previously, petermattis (Peter Mattis) wrote…
Sorry, the subsection for that is titled docs/RFCS/20171101_encryption_at_rest.md, line 796 at r4 (raw file): Previously, petermattis (Peter Mattis) wrote…
We can definitely keep them for a long long time, individual key entries would be around 100 bytes each (plus the fixed 4KiB preamble). Even if you rotate them once the week, you have a long way to go before making any sort of dent in disk usage. Memory usage could be reduced by loading keys on-demand (but that would take a long time too). An "old keys" file would work as well, just adds more complexity. Comments from Reviewable |
|
A security friend of mine is highlighting that this document is hard to review to a security expert, because it does not sufficiently outline its threat model. That needs to be addressed before we can solicit more insight. |
|
(i.e. "what are we protecting against") |
|
Reviewed 1 of 1 files at r5. docs/RFCS/20171101_encryption_at_rest.md, line 67 at r1 (raw file):
nit: HIPAA docs/RFCS/20171101_encryption_at_rest.md, line 172 at r5 (raw file):
Do we auto rotate the data key? You say so below, can add a line here saying so. docs/RFCS/20171101_encryption_at_rest.md, line 187 at r5 (raw file):
this is just for performance right? Useful to separate the "absolutely must" recommendations (for security), v.s. the "preferred" recommendations (for performance assuming encr-at-rest is turned on) docs/RFCS/20171101_encryption_at_rest.md, line 188 at r5 (raw file):
s/are/area/ docs/RFCS/20171101_encryption_at_rest.md, line 549 at r5 (raw file):
After reading this section, I don't understand how RocksDB rotates keys. Can RocksDB accept multiple active data keys, and thus it is on us to take a file, rekey it, and then atomically swap it under the hood, invisible to RocksDB? docs/RFCS/20171101_encryption_at_rest.md, line 550 at r5 (raw file):
RocksDB never overwrites SSTs, so what files are being overwritten? docs/RFCS/20171101_encryption_at_rest.md, line 558 at r5 (raw file):
I can imagine there being another set of "backup keys", since a user might want backups to be part of an ETL process, and not have to have their entire system forced to use the exact same keys. docs/RFCS/20171101_encryption_at_rest.md, line 587 at r5 (raw file):
This should start with a threat model section, as @knz mentioned. docs/RFCS/20171101_encryption_at_rest.md, line 760 at r5 (raw file):
I would appreciate if you took some of these points and wrote up a "how we do key rotation using RocksDB's existing write patterns" section above. Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 12 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 67 at r1 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 172 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
There's a whole subsection titled docs/RFCS/20171101_encryption_at_rest.md, line 187 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
Yeah, that'll need to be hashed out in the docs. recommendations for security vs performance reasons. docs/RFCS/20171101_encryption_at_rest.md, line 188 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 549 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
rocksdb doesn't know anything about keys. The docs/RFCS/20171101_encryption_at_rest.md, line 550 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
Everything written by rocksdb will be encrypted. This includes things like docs/RFCS/20171101_encryption_at_rest.md, line 558 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
This applies to the sstables generated locally by restore and then loaded. I still need to better understand how this works, but it has nothing to do with the external (eg: S3) backup. docs/RFCS/20171101_encryption_at_rest.md, line 587 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
Yeah, there's some discussion about why customers want this, and some about the assumptions we make. However, I have no idea how to define a threat model, let alone a "rigorous" one. docs/RFCS/20171101_encryption_at_rest.md, line 760 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
uh, there's not much to say other than "we write new files using the active key". Since we can't rewrite the files ourselves the best we can do is trigger compactions at the rocksdb level. This is all mentioned. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 7 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 549 at r5 (raw file): Previously, mberhault (marc) wrote…
Then I can imagine the following key rotation process: we encrypt all newly created SSTs with the new store key, and trigger compactions to get rid of old SSTs (so that we don't ever have to do an in-place rewrite of a "live" SST). The only trickiness comes with lower levels that may simply be dormant for a long period of time, in which case it might be safe to re-encrypt them after compaction triggers have failed to invalidate them. docs/RFCS/20171101_encryption_at_rest.md, line 550 at r5 (raw file): Previously, mberhault (marc) wrote…
How do we "pause" RocksDB if we are ripping a file out from under it? docs/RFCS/20171101_encryption_at_rest.md, line 587 at r5 (raw file): Previously, mberhault (marc) wrote…
You want two things: A list of properties we want to ensure, which I imagine roughly as:
A list of restrictions on the attacker, which if broken, all is lost (this is my initial stab at it, I'm sure there are more):
Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 7 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 549 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
This is addressed in docs/RFCS/20171101_encryption_at_rest.md, line 550 at r5 (raw file): Previously, arjunravinarayan (Arjun Narayan) wrote…
We don't, we rely on natural churn. Also addressed in Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 7 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 557 at r1 (raw file): Previously, mberhault (marc) wrote…
After looking at the code a bit more, I think we need to use the existing keys to write the SST to be ingested. We end up just passing the filename to the rocksdb instance, so the Comments from Reviewable |
|
Reviewed 1 of 1 files at r6. docs/RFCS/20171101_encryption_at_rest.md, line 200 at r6 (raw file):
Seems like the Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 8 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 200 at r6 (raw file): Previously, tschottdorf (Tobias Schottdorf) wrote…
I'm not sure how passing it through init helps. Does it become a cluster-wide setting? How do we pass that before we initialize a new rocksdb instance? It's simplest to provide it as a permanent flag, much the same way you have to keep specifying Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 32 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 67 at r6 (raw file):
s/PCI/OCI/? docs/RFCS/20171101_encryption_at_rest.md, line 134 at r6 (raw file):
Why not use docs/RFCS/20171101_encryption_at_rest.md, line 144 at r6 (raw file):
Is this format based on anything in particular? It might be worth looking at tools people use for this kind of key rotation and to support a format that at least one tool understands natively (maybe json instead of an ad-hoc delimited format?). In particular, I wonder if it might be better supported to use a directory containing an immutable file per key instead of a file that is updated on every rotation. docs/RFCS/20171101_encryption_at_rest.md, line 167 at r6 (raw file):
How are they stored? In separate files or in the preamble? docs/RFCS/20171101_encryption_at_rest.md, line 177 at r6 (raw file):
Why keep the same key across multiple files? I thought the point of the store/data key split would be to allow a fresh key to be generated for each file. (and then we'd have a separate "max key age" that would force a compaction to a fresh key) docs/RFCS/20171101_encryption_at_rest.md, line 188 at r6 (raw file):
This should be called out separately since it's a must-have: the security of this scheme rests almost entirely on the existence of a separate, more secure filesystem. docs/RFCS/20171101_encryption_at_rest.md, line 362 at r6 (raw file):
Don't we need strongly random IVs instead of pseudo-random? docs/RFCS/20171101_encryption_at_rest.md, line 398 at r6 (raw file):
3DES and skipjack are both really old. Chacha20 is a more plausible choice today (based on its inclusion in TLS 1.3). docs/RFCS/20171101_encryption_at_rest.md, line 414 at r6 (raw file):
As we discussed, mention that the plan is to make the preamble format the default for newly-created stores in some future version, but we are keeping it off by default for now. docs/RFCS/20171101_encryption_at_rest.md, line 415 at r6 (raw file):
Why a new file instead of a new value in the existing COCKROACH_VERSION file? docs/RFCS/20171101_encryption_at_rest.md, line 430 at r6 (raw file):
Should we talk explicitly about the use of keywhiz-style virtual filesystems here? docs/RFCS/20171101_encryption_at_rest.md, line 495 at r6 (raw file):
We definitely don't want pseudorandomness here. docs/RFCS/20171101_encryption_at_rest.md, line 599 at r6 (raw file):
GCM is not the only way to get confidentiality+integrity: CTR+HMAC would work too and still allow random access. docs/RFCS/20171101_encryption_at_rest.md, line 602 at r6 (raw file):
This comes back to our discussion about whether parameters (like key sizes and cipher modes) need to differ between store and data keys. It sounds like there's a reason to configure them separately. Or maybe we should just remove the cipher mode from the key file completely (so it just specifies cipher and key size), since we don't expect to allow much flexibility in cipher modes. docs/RFCS/20171101_encryption_at_rest.md, line 628 at r6 (raw file):
Well, we recommend disabling swap entirely above, which is an answer to this question. docs/RFCS/20171101_encryption_at_rest.md, line 650 at r6 (raw file):
The current EncryptedEnv cannot handle migrations, but I think we could make one that tracked the presence/absence of the preamble on a per-file basis. I don't think we care enough about the ability to migrate existing stores to actually do that, but changes to EncryptedEnv are an option if we need to. docs/RFCS/20171101_encryption_at_rest.md, line 700 at r6 (raw file):
I'm worried that this process adds risk of its own: we have to keep the data keys in memory all in one place, and rewrite them periodically. I was thinking that for a two-level key scheme, we'd have one key per data file (encrypted with the store key and stored in the preamble). This permits a fast rotation process by rewriting the preamble block (although this is enough of a deviation from the normal write-once practice that I'm not sure it makes sense). docs/RFCS/20171101_encryption_at_rest.md, line 701 at r6 (raw file):
Are we making it easier to understand or just masking a problem? With a one-level key scheme, you need multiple in-use keys until all the data has been rewritten, and when the key is no longer in use you know it will be useless to an attacker who subsequently gets data from your disk. With this two-level scheme, the store key will quickly leave in-use status, but it becomes hard to tell when the data protected by that key becomes inaccessible (because it's reasonable to assume that the attacker got the store key and the then-current data keys at the same time). docs/RFCS/20171101_encryption_at_rest.md, line 734 at r6 (raw file):
Or similarly, encrypted nodes could refuse to acquire leases for non-system ranges unless they see a valid license. docs/RFCS/20171101_encryption_at_rest.md, line 765 at r6 (raw file):
I can't find it now, but I thought there already was something for this: changing certain options triggers a compaction of all files that were written under older options (unless I'm misremembering, the compression option works this way). docs/RFCS/20171101_encryption_at_rest.md, line 782 at r6 (raw file):
I think we should support a mix of encrypted and unencrypted stores on the same node. We don't need to support preamble and non-preamble stores on one node, though. docs/RFCS/20171101_encryption_at_rest.md, line 799 at r6 (raw file):
This is a drawback of the data key list format. If we either used a single key level or a key per file stored in its preamble, this wouldn't be an issue. If we do stick with the data key file, I think we need to address this. One option is to allow the configuration of the data ciphers separately from the store key, so you could say that new data files should be in plaintext even while we have a store key. Then it would only be safe to remove the store key when all the data had been rotated into the plaintext format. docs/RFCS/20171101_encryption_at_rest.md, line 853 at r6 (raw file):
I think we can mark it as "encrypted" (would this be a store attribute or something else?) as soon as it's enabled, because that means that any newly-written data will be encrypted. docs/RFCS/20171101_encryption_at_rest.md, line 873 at r6 (raw file):
NIST decertified skipjack in 2016. 3DES is still on the list although it's generally considered too weak to use these days. Comments from Reviewable |
|
LGTM -> for user feedback, I'm going to write up a summary of the user facing stuff in a couple bullets. I'll need you to take a quick skim through before I send it out to sanity check it for correctness. Review status: all files reviewed at latest revision, 36 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 67 at r1 (raw file):
Do you mean HIPAA here? We might also want to add PCI docs/RFCS/20171101_encryption_at_rest.md, line 90 at r1 (raw file):
I'm assuming this means table-level partitioning? docs/RFCS/20171101_encryption_at_rest.md, line 217 at r1 (raw file):
Do we want to warn if a new node is initialized into a cluster where all other stores have enabled encryption? docs/RFCS/20171101_encryption_at_rest.md, line 261 at r1 (raw file):
This doesn't seem great in terms of usability, but I guess we don't have time to do better in this release. Would you consider that this qualifies as an event that could be surfaced in the event log in the admin UI? Comments from Reviewable |
|
I'm seeing one massive question here: do we want to use a single level of keys (user keys are used to encrypt the data) or the dual-level described here. I can expand the "Alternatives: Single level of keys" section with more pros/cons, but ultimately we have to pick one. Code complexity and user-friendliness point towards single-level keys. Review status: all files reviewed at latest revision, 36 unresolved discussions, some commit checks failed. docs/RFCS/20171101_encryption_at_rest.md, line 67 at r1 (raw file): Previously, dianasaur323 (Diana Hsieh) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 90 at r1 (raw file): Previously, dianasaur323 (Diana Hsieh) wrote…
This is only db/table-level encryption if you get said db/table onto encrypted nodes through zone configs. docs/RFCS/20171101_encryption_at_rest.md, line 217 at r1 (raw file): Previously, dianasaur323 (Diana Hsieh) wrote…
The preamble format only says that the node can support encryption, we can still be plaintext. As for checking the rest of the cluster, we can't: this is done before we've talked to any other nodes. docs/RFCS/20171101_encryption_at_rest.md, line 261 at r1 (raw file): Previously, dianasaur323 (Diana Hsieh) wrote…
We'll need a better interface, but that will come later. The proposed status reporting will make it easy to build a user-friendly admin UI page. docs/RFCS/20171101_encryption_at_rest.md, line 67 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Wow, I keep having typos in those. docs/RFCS/20171101_encryption_at_rest.md, line 134 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
I think we'll want some examples of how to generate good keys in the docs. For now, I don't want anyone to just copy/paste things in here willy-nilly. docs/RFCS/20171101_encryption_at_rest.md, line 144 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Not particularly, mostly easy of writing/parsing in C++, I don't particularly want a json library. docs/RFCS/20171101_encryption_at_rest.md, line 167 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
The data key is the same format as above, with one big file for all keys. It is written by a different instance of the docs/RFCS/20171101_encryption_at_rest.md, line 177 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
We could generate a new key for every file (although at that point that's what the nonce is). But I think you're thinking about storing the file-key in a part of the preamble encrypted with the store key. That would mean losing the quick store key rotation scheme. docs/RFCS/20171101_encryption_at_rest.md, line 188 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Sure, well have to be very careful how we draft the requirements and recommendations in the docs. docs/RFCS/20171101_encryption_at_rest.md, line 362 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Sure, but as discussed in docs/RFCS/20171101_encryption_at_rest.md, line 398 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Sure. dropping all mention of specific ciphers, this isn't relevant for not. docs/RFCS/20171101_encryption_at_rest.md, line 414 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 415 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
We could change docs/RFCS/20171101_encryption_at_rest.md, line 430 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
We should mention it as one of the possible key sources in the docs, but that's irrelevant for this RFC. docs/RFCS/20171101_encryption_at_rest.md, line 495 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
As discussed in the docs/RFCS/20171101_encryption_at_rest.md, line 599 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
True. We need to decide if we want integrity as well, at least for the data keys file (easy since it's small and only used by us). Integrity for all other files is a bit trickier, but may be a reasonable future improvement. docs/RFCS/20171101_encryption_at_rest.md, line 602 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
I think we still want to control key sizes (mostly because it's trivial). If we fix it at 128, someone will say they want 256 for better security, and the other way around will get complaints about slowness. docs/RFCS/20171101_encryption_at_rest.md, line 628 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Partially. I'm still going to call docs/RFCS/20171101_encryption_at_rest.md, line 650 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
We may be able to detect if something is an sstable or log, but what about the other rocksdb files ( docs/RFCS/20171101_encryption_at_rest.md, line 700 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
I really want to avoid re-writing files when I'm not being asked to. Rewriting the data keys file isn't particularly complicated, we can follow the normal pattern of docs/RFCS/20171101_encryption_at_rest.md, line 701 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Right, and whatever mechanism we would have used to force re-encryption in a single-level solution can still be applied here. Note also that GCing of keys is still an open question, meaning that we may not be able to guarantee that a key is no longer needed (eg: backups). docs/RFCS/20171101_encryption_at_rest.md, line 734 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
true. We have a number of possibilities here, we just need to be careful about failure modes. docs/RFCS/20171101_encryption_at_rest.md, line 765 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Yeah, I'm still digging through rocksdb for some of these things. docs/RFCS/20171101_encryption_at_rest.md, line 782 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Uh. This is pretty much what I have here. We're agreed that this is reasonable? docs/RFCS/20171101_encryption_at_rest.md, line 799 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Yeah, this goes back to the one vs two level. This one is not so much an open question as it is a requirement in the two-level system. Not particularly complicated though, just more confusion for the user. docs/RFCS/20171101_encryption_at_rest.md, line 853 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
The simplest solution is to do nothing and have the user set their own attributes. docs/RFCS/20171101_encryption_at_rest.md, line 873 at r6 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Also dropped sample ciphers. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 37 unresolved discussions, all commit checks successful. docs/RFCS/20171101_encryption_at_rest.md, line 742 at r7 (raw file):
Are there other concerns with this approach such as performance concerns? I'd like to see a stronger discussion on why proactively gating is worse for users than the proposed approach Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 37 unresolved discussions, all commit checks successful. docs/RFCS/20171101_encryption_at_rest.md, line 742 at r7 (raw file): Previously, awoods187 (Andy Woods) wrote…
The concern with blocking anything on encryption is that it has be done after the fact (when we initialize the encryption state, we have no way of knowing whether we have a license or not). Any type of degradation of service/features after the fact risks being triggered by bugs/license removal/bad error handling etc... Comments from Reviewable |
mberhault
force-pushed
the
marc/RFC_encryption_at_rest
branch
from
e81f066 to
94dffd0
Compare
|
A few major changes since the last round of reviews:
|
|
This is ready for another look. I'm not collapsing commits for now so that people can see what changed.
|
|
Thanks. Typos make things less legible so always good to avoid. I think most of this doc has been pretty well hashed out by now. The main question in my mind is whether to go for the preamble format of the custom env solution. Review status: 0 of 1 files reviewed at latest revision, 28 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 217 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Integration with zone configs is fairly straightforward. The future improvement section proposes a reserved Cluster settings are about as tricky as license enforcement. docs/RFCS/20171101_encryption_at_rest.md, line 853 at r6 (raw file): Previously, a-robinson (Alex Robinson) wrote…
That's fair. Actual encryption status (how much data is still plaintext or encrypted using old keys) will need to be carefully integrated into the admin-ui/metrics and monitored by DBAs. docs/RFCS/20171101_encryption_at_rest.md, line 152 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 204 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 205 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Good point, I didn't think about that. Added to the docs/RFCS/20171101_encryption_at_rest.md, line 218 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 238 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 291 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 307 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. I've replaced a bunch of mentions of docs/RFCS/20171101_encryption_at_rest.md, line 338 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. docs/RFCS/20171101_encryption_at_rest.md, line 633 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
oops. I got my terminology mixed up. This is indeed store keys. Renamed all instances of master keys docs/RFCS/20171101_encryption_at_rest.md, line 758 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
I'm not too worried about "accidentally" using encryption. You still have to generate keys and specify them through the There's discussion about alternate ways of doing license enforcement in the "future improvements", but I don't know of a safe way of doing it right now. docs/RFCS/20171101_encryption_at_rest.md, line 819 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
We can still mention filesystem-level encryption if people prefer it, somewhere in some production docs. This is under "alternatives", and it is a valid alternative for some scenarios so not mentioning it would be have been a rather big omission. docs/RFCS/20171101_encryption_at_rest.md, line 968 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 19 unresolved discussions, all commit checks successful. docs/RFCS/20171101_encryption_at_rest.md, line 819 at r36 (raw file): Previously, mberhault (marc) wrote…
I'm more wondering which one we'll recommend first, i.e. as the preferred option. docs/RFCS/20171101_encryption_at_rest.md, line 213 at r37 (raw file):
s/code/core/? docs/RFCS/20171101_encryption_at_rest.md, line 257 at r37 (raw file):
s/code/core/? Comments from Reviewable |
|
Reviewed 1 of 1 files at r37. Comments from Reviewable |
mberhault
force-pushed
the
marc/RFC_encryption_at_rest
branch
from
e071dcc to
e1f2eb9
Compare
|
Review status: 0 of 1 files reviewed at latest revision, 19 unresolved discussions. docs/RFCS/20171101_encryption_at_rest.md, line 819 at r36 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Well, it depends on what you're already doing. If you have filesystem-level encryption with HSM support, I would honestly go for that rather than our encryption. But some people have made it clear that filesystem-level encryption is not an option for them. docs/RFCS/20171101_encryption_at_rest.md, line 213 at r37 (raw file): Previously, a-robinson (Alex Robinson) wrote…
wow. I really had a problem with that word for some reason. Fixed all three instances. docs/RFCS/20171101_encryption_at_rest.md, line 257 at r37 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. Comments from Reviewable |
tbg
left a comment
tbg
left a comment
There was a problem hiding this comment.
Gave this only a shallow review, but generally looks good.
| to be used by another rocksdb instance and does not survive node restart. We propose to use dynamically-generated | ||
| keys to encrypt the temporary rocksdb instance. | ||
| 1. sideloading for restore. Local SSTables are generated using an in-memory rocksdb instance then written in go | ||
| to local disk. We must change this to either be written directly by rocksdb, or move encryption to Go. The former |
There was a problem hiding this comment.
Not sure what exactly you mean, not putting the sideloaded file on disk directly is likely a non-started, since avoiding the write amplification associated with putting it into RocksDB was one of the goals of side loading.
Also, how will RESTORE work in this case? The sideloaded files are linked in directly into RocksDB (via DB::IngestExternalFile()). What does that mean for the file? Does it have to be encrypted already?
My assumption on how this would work is that instead of slapping the file on disk, it would pass through something that would add the right preamble and encrypt with the store key, and that that is the right thing to pass to IngestExternalFile later, but I'm not sure.
Could you add more details here?
There was a problem hiding this comment.
As mentioned in the RFC, the file is generated in an in-mem rocksdb instance then written to disk in Go. After that, it is ingested.
We need to make sure the ingested file is encrypted using the same set of keys, so it really needs to go through the existing rocksdb instance, or at least the same Env layer.
|
there are three PRs showing possible ways of doing some things:
My preference is for the switching env over the preamble (explained in the alternatives section). I'll rewrite this RFC to switch to it. |
|
This RFC now proposes using a switching env for plaintext vs encryption and a registry to keep information about a file's encryption status. |
|
Review status: 0 of 1 files reviewed at latest revision, 21 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 427 at r39 (raw file):
As an alternative to a registry, could we do something with symlinks? For example, if the file is a regular file it is plaintext. If the file is a symlink, read the link name and if it contains the suffix Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 21 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 427 at r39 (raw file): Previously, petermattis (Peter Mattis) wrote…
That's something Ben and I have iterated over a little (see the "custom env" section in older revisions). Using the filename to describe encrypted status still needs the registry (or preamble) to store encryption fields.
As for creating a whole new file to safely write, we have to do this for the data keys, so one more doesn't seem like too big of a pain. Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 21 unresolved discussions, some commit checks pending. docs/RFCS/20171101_encryption_at_rest.md, line 427 at r39 (raw file): Previously, mberhault (marc) wrote…
Ack. Carry on. Comments from Reviewable |
|
docs/RFCS/20171101_encryption_at_rest.md, line 400 at r39 (raw file):
If I'm reading this correctly, this means that the previous limitation where you couldn't encrypt a store that didn't have the preamble format enabled is instead simply a flag that can be toggled? That's nice! Comments from Reviewable |
|
Review status: 0 of 1 files reviewed at latest revision, 21 unresolved discussions, all commit checks successful. docs/RFCS/20171101_encryption_at_rest.md, line 400 at r39 (raw file): Previously, dianasaur323 (Diana Hsieh) wrote…
That's correct. The remaining limitation is that enabling encryption means you can't go back to a version that does not support encryption. Obviously there's nothing I can do about that. Comments from Reviewable |
|
docs/RFCS/20171101_encryption_at_rest.md, line 400 at r39 (raw file): Previously, mberhault (marc) wrote…
Woohoo~~~ Comments from Reviewable |
mberhault
force-pushed
the
marc/RFC_encryption_at_rest
branch
from
3a279a8 to
7a6cfe5
Compare
This is to be contrasted to the preamble method in cockroachdb#20124. This method is discussed in the `Custom env for encryption state` section of the [Encryption RFC](cockroachdb#19785) When encryption is enabled, use a switching env that can redirect each Env method to one of: * base env for plaintext (same format as currently, no overhead) * encrypted env (with or without preamble) for encrypted files The switching env will hold the list of encrypted files to know which env to pick.
This is to be contrasted to the preamble method in cockroachdb#20124. This method is discussed in the `Custom env for encryption state` section of the [Encryption RFC](cockroachdb#19785) When encryption is enabled, use a switching env that can redirect each Env method to one of: * base env for plaintext (same format as currently, no overhead) * encrypted env (with or without preamble) for encrypted files The switching env will hold the list of encrypted files to know which env to pick.
|
Reviewed 1 of 1 files at r40. docs/RFCS/20171101_encryption_at_rest.md, line 819 at r36 (raw file): Previously, mberhault (marc) wrote…
Personally I'd recommend filesystem-level encryption as long as it meets security and operational requirements. docs/RFCS/20171101_encryption_at_rest.md, line 441 at r40 (raw file):
s/persiste/persist/ Discuss partial failures here: we may persist the write to the registry without creating the file, so the registry contains a superset of the (encrypted) files on disk. Going the other way, when a file is deleted, we must delete the file from disk first, before removing it from the registry. It is possible for registry entries to "leak" via these partial failures. We could either implement some sort of GC for them (the fact that rocksdb includes a monotonic counter in all filenames should make this straightforward) or just assume that this will be rare enough that we don't have to worry about it. docs/RFCS/20171101_encryption_at_rest.md, line 575 at r40 (raw file):
What does this mean? Do you have to restart to pick up new keys? I think we need to be able to pick up updates to these keyfiles on SIGHUP. (although renaming Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 22 unresolved discussions. docs/RFCS/20171101_encryption_at_rest.md, line 819 at r36 (raw file): Previously, bdarnell (Ben Darnell) wrote…
It should definitely be mentioned as an option in the docs. Or we could say that's the only solution for now and I can seriously free up my next few months :) docs/RFCS/20171101_encryption_at_rest.md, line 441 at r40 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Fixed typo. Added some details about non-existent entries and linked to the existing registry GC "future improvement, maybe in for first version". docs/RFCS/20171101_encryption_at_rest.md, line 575 at r40 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Yup. I have Comments from Reviewable |
mberhault
force-pushed
the
marc/RFC_encryption_at_rest
branch
from
7a6cfe5 to
b938c05
Compare
|
No more unresolved questions:
|
mberhault
force-pushed
the
marc/RFC_encryption_at_rest
branch
from
39a24b1 to
262d532
Compare
|
There's been no movement in about over a week. If there are no objections, I'd like to move to FCP. |
|
Moving to FCP. ETA for close is Wednesday Dec 20th. |
This is the initial RFC for encryption at rest. The `Security considerations` sections must be expanded and carefully examined. The `Unresolved questions` must be resolved. The `Future improvements` must be examined for in/out-of scope decisions.
mberhault
force-pushed
the
marc/RFC_encryption_at_rest
branch
from
262d532 to
4626d29
Compare
13 participants
This is the initial RFC for encryption at rest.
The
Security considerationssection must be expanded and carefullyexamined (anyone know a security expert with free time?)
The
Unresolved questionsmust be resolved (ah!)The
Future improvementsmust be examined for in/out-of scopedecisions.