From 6ad3776c02f2393c03dec433f1aeb2ae47b319dc Mon Sep 17 00:00:00 2001 From: Ran Date: Tue, 9 Jun 2020 12:54:46 +0800 Subject: [PATCH 1/2] enclose tags to fix build failure --- encryption-at-rest.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/encryption-at-rest.md b/encryption-at-rest.md index f66ece8295f60..cd748ddd26c0c 100644 --- a/encryption-at-rest.md +++ b/encryption-at-rest.md @@ -71,7 +71,7 @@ type = "file" path = "/path/to/key/file" ``` -Here `path` is the path to the key file. The file must contain a 256 bits (or 16 bytes) key encoded as hex string, end with a newline ("\n") and contain nothing else. Example of the file content: +Here `path` is the path to the key file. The file must contain a 256 bits (or 16 bytes) key encoded as hex string, end with a newline (`\n`) and contain nothing else. Example of the file content: ``` 3b5896b5be691006e0f71c3040a29495ddcad20b14aff61806940ebd780d3c62 From 1f79a5d00d3b0b4ac9acb6c57b2d4cc70c93e854 Mon Sep 17 00:00:00 2001 From: Ran Date: Tue, 9 Jun 2020 13:07:12 +0800 Subject: [PATCH 2/2] Update encryption-at-rest.md --- encryption-at-rest.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/encryption-at-rest.md b/encryption-at-rest.md index cd748ddd26c0c..75cb2590d7f6b 100644 --- a/encryption-at-rest.md +++ b/encryption-at-rest.md @@ -33,7 +33,7 @@ TiKV currently supports encrypting data using AES128, AES192 or AES256, in CTR m The same master key can be shared by multiple instances of TiKV. The recommended way to provide a master key in production is via AWS KMS. Create a customer master key (CMK) through AWS KMS, and then provide the CMK key ID to TiKV in the config file. The TiKV process needs access to the KMS CMK while it is running, which can be done by using an [IAM role](https://aws.amazon.com/iam/). If TiKV fails to get access to the KMS CMK, it will fail to start or restart. If TiKV loses access to the KMS CMK while it is running, data key rotation will be temporarily disabled. Refer to AWS documentation for [KMS](https://docs.aws.amazon.com/kms/index.html) and [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) usage. -Alternatively, if using custom key is desired, supplying the master key via file is also supported. The file needs to contain a 256 bits (or 32 bytes) key encoded as hex string. The file should end with a newline (i.e. "\n") and contain nothing else. Persisting the key on disk, however, leaks the key, so the key file is only suitable to be stored on tempfs in RAM. +Alternatively, if using custom key is desired, supplying the master key via file is also supported. The file needs to contain a 256 bits (or 32 bytes) key encoded as hex string. The file should end with a newline (i.e. `\n`) and contain nothing else. Persisting the key on disk, however, leaks the key, so the key file is only suitable to be stored on tempfs in RAM. Data keys are generated by TiKV and passed to the underlying storage engine (i.e. RocksDB). All files written by RocksDB, including SST files, WAL files, and the MANIFEST file, are encrypted by the current data key. Other temporary files used by TiKV that may include user data are also encrypted using the same data key. Data keys are automatically rotated by TiKV every week by default, but the period is configurable. On key rotation, TiKV does not rewrite all existing files to replace the key, but RocksDB compaction are expected to rewrite old data into new data files, with the most recent data key, if the cluster gets constant write workload. TiKV keeps track of the key and encryption method used to encrypt each of the files and use the information to decrypt the content on reads.