-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a default block cipher implementation using AES. #8943
Conversation
build_tools/build_detect_platform
Outdated
#include <cstdint> | ||
#include <emmintrin.h> | ||
int main() { | ||
const auto x = _mm_set_epi32(0, 0, 0, 0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would just roll this into the test for enabling IPPCP and don't bother with a HAVE_SSE2 flag. Unnecessary complexity IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pdillinger that is true. Now fixed.
44ba35c
to
9a05662
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't like adding code to the base checkout without basic build and unit test coverage, with CircleCI and gtest. Can you add to db_encryption_test? Or perhaps make this the canonical configuration for environment variable ENCRYPTED_ENV=1 (when IPPCP enabled at compile time)? Can add this to CircleCI build-linux-encrypted-env.
include/rocksdb/ippcp_aes_provider.h
Outdated
// | ||
// Note: a prefix size of 4096 (4K) is chosen for optimal performance. | ||
// | ||
class IppAESCTRProvider : public EncryptionProvider { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also override GetMarker()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
include/rocksdb/ippcp_aes_provider.h
Outdated
virtual ~IppAESCTRProvider(); | ||
|
||
private: | ||
#ifdef IPPCP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty much except for ROCKSDB_LITE, we need to avoid custom ifdefs in public headers. We cannot rely on client code being compiled with our macro definitions used for compiling RocksDB.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Wish list item: good error message if attempting to use sst_dump or ldb or DB::Open on an encrypted DB without appropriate encrypted env. |
Can we have a separate patch for this? A good error message is required even for the trivial encryption provider (ROT13) that currently exists and we need to carefully think on how to use the EncryptionProvider::GetMarker(). |
I have added IPPCP encryption provider as the canonical encryption provider for test when ENCRYPTED_ENV is set to 1 and IPPCP is detected at compile time. I have also run db_encryption_test and it passes. |
Summary: - supports AES-128, AES-192, and AES-256. - uses the CTR mode of operation. - is based on the Intel® crypto library (https://github.com/intel/ipp-crypto)
6f26e32
to
e637dca
Compare
I saw this pull request is pending for one year, are you plan to merge it in the master? If not, what's the roadmap for support encryption/decryption as part of code base? |
The latest version of this PR, implemented as a RocksDB plugin, is available here. |
RocksDB currently has no default block cipher that users can readily use, this patch addresses that. The PR is the latest version of the PR described here. The code has been refactored to make use of the new Encryption API based on object registration. The block cipher used is the AES block cipher with CTR mode of operation.
Summary: