storageccl: provide a mechanism to verify the age of all data-keys required to decrypt data in the store for EAR. #80535
Labels
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-storage
Storage Team
X-nostale
Marks an issue/pr that should be ignored by the stale bot
Projects
Is your feature request related to a problem? Please describe.
When rotating data-keys, the background is, we rely on "storage engine churn" to de-crypt and re-encypt data when there is upserts/compactions. However, it is hard to verify the current state of encrypted data.
Currently it is not possible to identify the age of all data-keys that exist for a given store. We would like to be able to see metadata about all keys still required to decrypt data.
Describe the solution you'd like
Update the endpoint https://localhost:8080/#/reports/stores/1 to provide metadata on all keys required to decrypt data.
Describe alternatives you've considered
Checking the timestamps of .SST files to establish the age of the oldest .SST file and then consider this to be the age of the "oldest" data-key + key rotation period.
Additional context
Made this as an example, hopefully there is better terminology for old data-keys:
Jira issue: CRDB-15358
Epic CRDB-16419
The text was updated successfully, but these errors were encountered: