You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: v2.1/encryption.md
+29-6Lines changed: 29 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,15 +9,38 @@ Encryption At Rest provides transparent encryption for node data on local disk.
9
9
10
10
<divid="toc"></div>
11
11
12
-
## Terminology
12
+
## Background
13
13
14
-
* store key: user-provided key, used to encrypt data keys
15
-
* data key: automatically-generated key, used to encrypt data
16
-
TODO(mberhault): add more
14
+
Encryption at rest allows encryption of all files on disk using AES in counter mode, with all key
15
+
sizes allowed.
17
16
18
-
## Background
17
+
Encryption is performed in the [storage layer](architecture/storage-layer.html) and configured per store.
18
+
All files used by the store, regarless of contents, are encrypted with the desired algorithm.
19
+
20
+
To allow arbitrary rotation schedules and ensure security of the keys, we use two layers of keys:
21
+
22
+
| Level | Description |
23
+
|-|-|
24
+
| Store keys | Store keys are provided by the user in a file. They are used to encrypt the list of data keys (see below).
25
+
This is known as a **key encryption key**: it's only purpose is to encrypt other keys.
26
+
Store keys are never persisted by CockroachDB.
27
+
Since very little data is encrypted using this key, it can have a very long lifetime without risk of reuse. |
28
+
| Data keys | Data keys are automatically generated by CockroachDB. They are used to encrypt all files on disk.
29
+
This is known as a **data encryption key**.
30
+
Data keys are persisted in a key registry file, encrypted using the store key.
31
+
The key has a short lifetime to avoid key/IV reuse. |
32
+
33
+
Store keys are specified by passing a path to a locally readable file. The file must contain 32 bytes (the key ID)
34
+
followed by the key (16, 24, or 32 bytes). The size of the key dictates the version of AES to use (AES-128, AES-192, or AES-256).
35
+
36
+
At startup, CockroachDB uses a data key with the same length as the store key. If encryption has just been enabled,
37
+
the key size has changed, or the data key is too old (default lifetime is one week), CockroachDB generates a new data key.
38
+
39
+
Any new file created by the store uses the currently-active data key. All data keys (both active and previous) are stored in a key registry file and encrypted with the active store key.
40
+
41
+
CockroachDB does not currently force re-encryption of older files but instead relies on normal RocksDB churn to slowly rewrite all files with the desired encryption.
19
42
20
-
TODO(mberhault): explain store vs data keys, rotation, etc...
43
+
TODO(mberhault): flesh out key rotation description.
0 commit comments