Support Transparent Data Encryption(TDE) for PD #18262
Assignees
Labels
feature/accepted
This feature request is accepted by product managers
Priority/P0
Features that will be implemented in the latest major/minor version
type/feature-request
This is a feature requests on the product
Projects
Milestone
Comments
scsldb
added
type/feature-request
|
I moved it to "Requirement: Scheduled", we can go-ahead the developing progress. |
11 tasks
zz-jason
changed the title
zz-jason
added
the
feature/accepted
Design docs is updated:
Moving to development. |
|
Implementation ongoing, 20% progress. |
|
Implementation almost finished. Should be able to get a workable version and start sending out PR early next week. |
yiwu-arbug
added a commit
to tikv/pd
that referenced
this issue
Sep 16, 2020
Signed-off-by: Yi Wu <yiwu@pingcap.com> <!-- Thank you for working on PD! Please read PD's [CONTRIBUTING](https://github.com/tikv/pd/blob/master/CONTRIBUTING.md) document **BEFORE** filing this PR. PR Title Format: 1. pkg [, pkg2, pkg3]: what's changed 2. *: what's changed --> ### What problem does this PR solve? <!-- Add the issue link with a summary if it exists. --> This is part 1 for adding TDE support to PD. pingcap/tidb#18262 It contains helper methods for encryption. ### What is changed and how it works? This PR adds utility types and functions: * encrypt/decrypt data using aes-ctr (for encrypting region boundary keys) and aes-gcm (for encrypting data encryption keys) * helper methods to encrypt/decrypt region boundary keys in-place * wrapper of master key, and helper method to read a master key (must be a 256 bit encryption key, stored as hex-string) from a local file ### Check List <!-- Remove the items that are not applicable. --> Tests <!-- At least one of them must be included. --> - Unit test Related changes - depends on pingcap/kvproto#666 ### Release note * No release note
|
No much progress this week, but the second PR (2/4) is closed to merge. |
|
Sent the third PR (3/4) earlier the week. Awaiting review. |
This was referenced Aug 12, 2021
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
In TiDB 4.0 we introduce encryption-at-rest support to TiKV. However, it doesn’t provide full encryption-support to the whole TiDB cluster. This is because PD also store a small amount of user data. At the very least, PD store region boundaries in PD, which may contain user data when the keys are index keys. We propose to encrypt all key-values that stored in etcd cluster in PD, so we can have peace of mind without checking every time we store a new type of data in PD.
Category
Feature、Security
Design
- Docs
Value
Improve system security
Schedule
GanttStart: 2020-07-04
GanttDue: 2020-11-28
GanttProgress: 5%
The text was updated successfully, but these errors were encountered: