encryption: add tikv kms encryption for gcp and azure #16737
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ti-chi-bot
bot
added
missing-translation-status
|
@LykxSassinator Please help review the azure part thanks. |
ti-chi-bot
bot
removed
the
missing-translation-status
qiancai
added
v8.0
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 4, 2024
qiancai
reviewed
Mar 4, 2024
| @@ -65,9 +65,31 @@ TiKV 当前支持的加密算法包括 AES128-CTR、AES192-CTR、AES256-CTR 和 | |||
|
|
|||
| 无论用户配置了哪种数据加密方法,数据密钥都使用 AES256-GCM 算法进行加密,以方便对主密钥进行验证。所以当使用文件而不是 KMS 方式指定主密钥时,主密钥必须为 256 位(32 字节)。 | |||
|
|
|||
There was a problem hiding this comment.
encryption-at-rest.md
Outdated
|
|
||
| 创建密钥 | ||
|
|
||
| 在 Azure 平台创建密钥,请参考文档 [使用 Azure 门户在 Azure Key Vault 中设置和检索密钥](https://learn.microsoft.com/zh-cn/azure/key-vault/keys/quick-create-portal)。 |
There was a problem hiding this comment.
And the link for EN version: https://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal
encryption-at-rest.md
Outdated
| credential-file-path = "/path/to/credential.json" | ||
| ``` | ||
|
|
||
| `key-id` 指定 KMS CMK 的密钥 ID, `credential-file-path` 指向验证凭据配置文件的路径,目前支持 Serivce Account 和 Authentition User 两种凭据。如果 TiKV 的运行环境已配置 [应用默认凭据](https://cloud.google.com/docs/authentication/application-default-credentials?hl=zh-cn),则无须此配置项。 |
There was a problem hiding this comment.
Suggested change
| `key-id` 指定 KMS CMK 的密钥 ID, `credential-file-path` 指向验证凭据配置文件的路径,目前支持 Serivce Account 和 Authentition User 两种凭据。如果 TiKV 的运行环境已配置 [应用默认凭据](https://cloud.google.com/docs/authentication/application-default-credentials?hl=zh-cn),则无须此配置项。 | |
| `key-id` 指定 KMS CMK 的密钥 ID, `credential-file-path` 指向验证凭据配置文件的路径,目前支持 Service Account 和 Authentication User 两种凭据。如果 TiKV 的运行环境已配置 [应用默认凭据](https://cloud.google.com/docs/authentication/application-default-credentials?hl=zh-cn),则无须此配置项。 |
There was a problem hiding this comment.
And for EN doc, the link is: https://cloud.google.com/docs/authentication/application-default-credentials
encryption-at-rest.md
Outdated
| ``` | ||
| [security.encryption.master-key] | ||
| type = "kms" | ||
| key-id = key-id = "projects/project-name/locations/global/keyRings/key-ring-name/cryptoKeys/key-name" |
There was a problem hiding this comment.
Suggested change
| key-id = key-id = "projects/project-name/locations/global/keyRings/key-ring-name/cryptoKeys/key-name" | |
| key-id = "projects/project-name/locations/global/keyRings/key-ring-name/cryptoKeys/key-name" |
|
Please add a description of the new configuration parameters in the configuration file. |
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 5, 2024
qiancai
reviewed
Mar 5, 2024
qiancai
reviewed
Mar 5, 2024
encryption-at-rest.md
Outdated
|
|
||
| 如果启用了加密(即 `data-encryption-method` 的值不是 `"plaintext"`),则必须指定主密钥。TiKV 支持 KMS 和文件两种方式指定密钥。 | ||
|
|
||
| #### 配置 KMS 密钥 |
There was a problem hiding this comment.
Suggested change
| #### 配置 KMS 密钥 | |
| #### 通过 KMS 指定主密钥 |
encryption-at-rest.md
Outdated
|
|
||
| </SimpleTab> | ||
|
|
||
| #### 配置文件密钥 |
There was a problem hiding this comment.
Suggested change
| #### 配置文件密钥 | |
| #### 通过文件指定主密钥 |
encryption-at-rest.md
Outdated
|
|
||
| `data-encryption-method` 的可选值为 `"aes128-ctr"`、`"aes192-ctr"`、`"aes256-ctr"`、`"sm4-ctr"` (仅 v6.3.0 及之后版本) 和 `"plaintext"`。默认值为 `"plaintext"`,即默认不开启加密功能。`data-key-rotation-period` 指定 TiKV 轮换密钥的频率。可以为新 TiKV 集群或现有 TiKV 集群开启加密,但只有启用后写入的数据才保证被加密。要禁用加密,请在配置文件中删除 `data-encryption-method`,或将该参数值为 `"plaintext"`,然后重启 TiKV。若要替换加密算法,则将 `data-encryption-method` 替换成已支持的加密算法,然后重启 TiKV。替换加密算法后,旧加密算法生成的加密文件会随着新数据的写入逐渐被重写成新加密算法所生成的加密文件。 | ||
|
|
||
| 如果启用了加密(即 `data-encryption-method` 的值不是 `"plaintext"`),则必须指定主密钥。TiKV 支持 KMS 和文件两种方式指定密钥。 |
There was a problem hiding this comment.
Suggested change
| 如果启用了加密(即 `data-encryption-method` 的值不是 `"plaintext"`),则必须指定主密钥。TiKV 支持 KMS 和文件两种方式指定密钥。 | |
| 如果启用了加密(即 `data-encryption-method` 的值不是 `"plaintext"`),则必须指定主密钥。你可以通过以下方式之一来指定主密钥。 | |
| - [通过 KMS 指定主密钥](#通过-KMS-指定主密钥) | |
| - [通过文件指定主密钥](#通过文件指定主密钥) | |
encryption-at-rest.md
Outdated
|
|
||
| #### 配置 KMS 密钥 | ||
|
|
||
| TiKV 支持 AWS、GCP 和 Azure 3 个平台的 KMS 加密,根据服务部署的平台,使用不同的方式配置 KMS 加密。 |
There was a problem hiding this comment.
Suggested change
| TiKV 支持 AWS、GCP 和 Azure 3 个平台的 KMS 加密,根据服务部署的平台,使用不同的方式配置 KMS 加密。 | |
| TiKV 支持 AWS、Google Cloud 和 Azure 这三个平台的 KMS 加密。你可以根据服务部署的平台,你可以选择其中之一配置 KMS 加密。 |
encryption-at-rest.md
Outdated
|
|
||
| <div label="AWS KMS"> | ||
|
|
||
| 创建密钥 |
There was a problem hiding this comment.
Suggested change
| 创建密钥 | |
| **第 1 步:创建主密钥** |
encryption-at-rest.md
Outdated
| gcloud kms keys create "key-name" --keyring "key-ring-name" --location "global" --purpose "encryption" --rotation-period "30d" | ||
| ``` | ||
|
|
||
| 请将上述命令中的 "key-ring-name"、"key-name"、"global"、"30d" 等字段替换为实际密钥对应的名称和配置。 |
There was a problem hiding this comment.
Suggested change
| 请将上述命令中的 "key-ring-name"、"key-name"、"global"、"30d" 等字段替换为实际密钥对应的名称和配置。 | |
| 请将上述命令中的 "key-ring-name"、"key-name"、"global"、"30d" 等字段的值替换为实际密钥对应的名称和配置。 |
encryption-at-rest.md
Outdated
|
|
||
| 创建密钥 | ||
|
|
||
| 在 GCP 平台上创建一个密钥,请执行以下步骤: |
There was a problem hiding this comment.
Suggested change
| 在 GCP 平台上创建一个密钥,请执行以下步骤: | |
| 要在 Google Cloud 上创建一个密钥,请进行以下操作: |
encryption-at-rest.md
Outdated
|
|
||
| 在 GCP 平台上创建一个密钥,请执行以下步骤: | ||
|
|
||
| 1. 进入 GCP 控制台的 [密钥管理](https://console.cloud.google.com/security/kms/keyrings)。 |
There was a problem hiding this comment.
Suggested change
| 1. 进入 GCP 控制台的 [密钥管理](https://console.cloud.google.com/security/kms/keyrings)。 | |
| 1. 进入 Google Cloud 控制台的[**密钥管理**](https://console.cloud.google.com/security/kms/keyrings)页面。 |
encryption-at-rest.md
Outdated
| 在 GCP 平台上创建一个密钥,请执行以下步骤: | ||
|
|
||
| 1. 进入 GCP 控制台的 [密钥管理](https://console.cloud.google.com/security/kms/keyrings)。 | ||
| 2. 点击**创建密钥环**,创建密钥环,注意密钥环所在的位置需要覆盖 TiDB 集群部署的区域。 |
There was a problem hiding this comment.
Suggested change
| 2. 点击**创建密钥环**,创建密钥环,注意密钥环所在的位置需要覆盖 TiDB 集群部署的区域。 | |
| 2. 点击**创建密钥环**。输入密钥环的名称,选择密钥环的位置,然后点击**创建**。注意密钥环的位置需要覆盖 TiDB 集群部署的区域。 |
encryption-at-rest.md
Outdated
|
|
||
| 1. 进入 GCP 控制台的 [密钥管理](https://console.cloud.google.com/security/kms/keyrings)。 | ||
| 2. 点击**创建密钥环**,创建密钥环,注意密钥环所在的位置需要覆盖 TiDB 集群部署的区域。 | ||
| 3. 选择上一步创建的密钥环,在密钥环详情页面点击**创建密钥**,注意密钥的**保护级别**选择**软件**或 **HSM**,**密钥材料**选择**生成的密钥**,**用途**选择 **Symmetric encrypt/decrypt**。 |
There was a problem hiding this comment.
Suggested change
| 3. 选择上一步创建的密钥环,在密钥环详情页面点击**创建密钥**,注意密钥的**保护级别**选择**软件**或 **HSM**,**密钥材料**选择**生成的密钥**,**用途**选择 **Symmetric encrypt/decrypt**。 | |
| 3. 选择上一步创建的密钥环,在密钥环详情页面点击**创建密钥**。 | |
| 4. 输入密钥的名称,设置密钥的信息如下,然后点击**创建**。 | |
| - **保护级别**:**软件**或 **HSM** | |
| - **密钥材料**:**生成的密钥** | |
| - **用途**:**Symmetric encrypt/decrypt** |
qiancai
reviewed
Mar 5, 2024
encryption-at-rest.md
Outdated
| @@ -108,6 +120,81 @@ endpoint = "https://kms.us-west-2.amazonaws.com" | |||
| `key-id` 指定 KMS CMK 的密钥 ID。`region` 为 KMS CMK 的 AWS 区域名。`endpoint` 通常无需指定,除非你在使用非 AWS 提供的 AWS KMS 兼容服务或需要使用 [KMS VPC endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html)。 | |||
|
|
|||
| 你也可以使用 AWS [多区域键](https://docs.aws.amazon.com/zh_cn/kms/latest/developerguide/multi-region-keys-overview.html)。为此,你需要在一个特定的区域设置一个主键,并在需要的区域中添加副本密钥。 | |||
| </div> | |||
|
|
|||
| <div label="GCP KMS"> | |||
There was a problem hiding this comment.
Suggested change
| <div label="GCP KMS"> | |
| <div label="Google Cloud KMS"> |
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 6, 2024
qiancai
reviewed
Mar 7, 2024
qiancai
reviewed
Mar 7, 2024
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 11, 2024
Co-authored-by: lucasliang <nkcs_lykx@hotmail.com>
LykxSassinator
approved these changes
Mar 12, 2024
|
@LykxSassinator: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
18 tasks
qiancai
reviewed
Mar 13, 2024
lilin90
reviewed
Mar 14, 2024
Co-authored-by: Lilian Lee <lilin@pingcap.com>
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 15, 2024
qiancai
reviewed
Mar 18, 2024
qiancai
reviewed
Mar 18, 2024
qiancai
reviewed
Mar 18, 2024
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 18, 2024
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lilin90 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@lilin90: Please do not delete or edit you lgtm type comment! In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
qiancai
approved these changes
Mar 20, 2024
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
github-actions bot
pushed a commit
to qiancai/pingcap-docsite-preview
that referenced
this pull request
Mar 20, 2024
qiancai
added
translation/done
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First-time contributors' checklist
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions (in Chinese).
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?