Skip to content

Latest commit

 

History

History
56 lines (41 loc) · 2.49 KB

encryption.adoc

File metadata and controls

56 lines (41 loc) · 2.49 KB
Raw

Encryption (Enterprise Edition Feature)

Chronicle Queue Enterprise introduces the ability to encrypt the contents of your queues.

Important
 Encrypted queues are written to disk in their encrypted state i.e. the data is encrypted at rest.

Encrypted queues are replicated in their encrypted state.

The same encryption key must be available when accessing these encrypted queue files.

All standard AES key lengths (AES-128, AES-192, or AES-256 bits) are supported by default. To encrypt messages use SingleChronicleQueueBuilder.aesEncryption() method when creating a queue and pass a key with length 128 or 192 or 256 bits as the argument (byte[] keyBytes). The AES key length is determined based on the length of the keyBytes argument in the aesEncryption() method. The following example creates a queue encrypted with AES-128.

Creating encrypted queue
// A 128-bit key for AES-128, use 192 or 256 bits key for AES-192 and AES-256 respectively.
private static final byte[] SECURE_KEY = {(byte) 0x45, (byte) 0x83, (byte) 0x78, (byte) 0x33, (byte) 0x21, (byte) 0x95,        (byte) 0xA5, (byte) 0xCA, (byte) 0x12, (byte) 0x44, (byte) 0xFF, (byte) 0xD3, (byte) 0x04, (byte) 0x9A,                (byte) 0xB2, (byte) 0x77};

try (ChronicleQueue queue = SingleChronicleQueueBuilder.builder()
          .path("queueDirectory")
          .aesEncryption(SECURE_KEY)
          .build()) {
                 ...
        }

If you have Chronicle-Queue-Enterprise in your class path you can set a salt e.g.

try (ChronicleQueue queue = SingleChronicleQueueBuilder.builder()
          ...
          .aesEncryption(SECURE_KEY)
          .messageHeader(MessageHeader.SALT_TIMESTAMP, MessageHeader.SALT_TIMESTAMP)
          ...

There are a number of salt functions available to you including SALT_TIMESTAMP, SALT_64, SALT_128 or you can implement your own.

Customer specified encryption

You can supply a bespoke encryption method to encrypt your messages using, perhaps, a more complex encryption method.

For example, you could perhaps combine encryption with salting, and/or compression.

Another example could be to write simple custom code that will encrypt the more important messages, while saving on overhead by not encrypting unimportant messages.

To enable this form of queue encryption, specify codingSuppliers at queue build time and supply the bespoke encryption method.