Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add encryption meta to metapd.Region #666

Merged
merged 10 commits into from
Sep 16, 2020
Merged

Add encryption meta to metapd.Region #666

merged 10 commits into from
Sep 16, 2020

Conversation

yiwu-arbug
Copy link
Contributor

Adding encryption meta to metapb.Region. This is going to be used by PD to encrypt the start_key and end_key when persisting the Region struct.

Signed-off-by: Yi Wu yiwu@pingcap.com

Add encryption meta to metapd.Region
f3b9b9b 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
@yiwu-arbug yiwu-arbug added the status/WIP Status: Working in progress label Aug 20, 2020
Yi Wu added 6 commits August 28, 2020 05:08
update encryption metadata
fe6615a 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
move ciphertext_key field into Kms config
7c1e9fb 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
update naming of master key backend types
35ba085 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
fix typo
8b5f81a 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
remove GCM tag
b367987 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
move ciphertext_key
1642670 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
@yiwu-arbug yiwu-arbug added status/PTAL Status: Waiting for reviewing and removed status/WIP Status: Working in progress labels Sep 9, 2020
@yiwu-arbug yiwu-arbug mentioned this pull request Sep 9, 2020
Merged
HunDunDM
HunDunDM reviewed Sep 9, 2020
View reviewed changes
Copy link
Contributor

@HunDunDM HunDunDM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rest LGTM

proto/encryptionpb.proto Outdated Show resolved Hide resolved
Yi Wu added 2 commits September 15, 2020 11:45
remove is_encrypted
77b76dd 
Signed-off-by: Yi Wu <yiwu@pingcap.com>
Merge branch 'master' into pd_enc
c7863a9
@yiwu-arbug
Copy link
Contributor Author

updated. PTAL

HunDunDM
HunDunDM approved these changes Sep 15, 2020
View reviewed changes
Copy link
Contributor

@HunDunDM HunDunDM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Yisaer
Yisaer approved these changes Sep 16, 2020
View reviewed changes
Copy link
Contributor

@Yisaer Yisaer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yiwu-arbug yiwu-arbug merged commit f9473f2 into pingcap:master Sep 16, 2020
@yiwu-arbug yiwu-arbug deleted the pd_enc branch September 16, 2020 03:17
yiwu-arbug pushed a commit to tikv/pd that referenced this pull request Sep 16, 2020
Encrypt region boundary keys, Part 1 - helper functions (#2931)
0a15643 
Signed-off-by: Yi Wu <yiwu@pingcap.com>

<!--
Thank you for working on PD! Please read PD's [CONTRIBUTING](https://github.com/tikv/pd/blob/master/CONTRIBUTING.md) document **BEFORE** filing this PR.
PR Title Format:
1. pkg [, pkg2, pkg3]: what's changed
2. *: what's changed
-->

### What problem does this PR solve?

<!-- Add the issue link with a summary if it exists. -->
This is part 1 for adding TDE support to PD. pingcap/tidb#18262 It contains helper methods for encryption.

### What is changed and how it works?

This PR adds utility types and functions:
* encrypt/decrypt data using aes-ctr (for encrypting region boundary keys) and aes-gcm (for encrypting data encryption keys)
* helper methods to encrypt/decrypt region boundary keys in-place
* wrapper of master key, and helper method to read a master key (must be a 256 bit encryption key, stored as hex-string) from a local file

### Check List

<!-- Remove the items that are not applicable. -->

Tests

<!-- At least one of them must be included. -->

- Unit test

Related changes

- depends on pingcap/kvproto#666

### Release note

* No release note
daimashusheng pushed a commit to daimashusheng/kvproto that referenced this pull request Sep 2, 2021
Add encryption meta to metapd.Region (pingcap#666)
2c2e254 
Adding encryption meta to `metapb.Region`. This is going to be used by PD to encrypt the start_key and end_key when persisting the `Region` struct.

Signed-off-by: Yi Wu <yiwu@pingcap.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HunDunDM HunDunDM HunDunDM approved these changes

@Yisaer Yisaer Yisaer approved these changes

@nolouch nolouch Awaiting requested review from nolouch

Assignees
No one assigned
Labels
status/PTAL Status: Waiting for reviewing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yiwu-arbug @Yisaer @HunDunDM