security: Encrypt region boundary keys, Part 4 - KMS

[yiwu-arbug]

What problem does this PR solve?

This is part 4 for adding TDE support to PD. pingcap/tidb#18262 This PR supports AWS KMS as master key.

What is changed and how it works?

The previous PR in the series support storing master key as a file. This is only suitable for testing. For production this is insecure. This PR supports using AWS KMS as master key. KMS is a service holds an encryption key (called a CMK), and provide API to encrypt and decrypt data using the encryption key, without exposing the key itself. We only use two of its interfaces:

  GenerateDataKey() (plaintextKey, ciphertextKey),
  Decrypt(ciphertextKey) plaintextKey,

GenerateDataKey() generates an encryption key from the CMK, returning both the plaintext key, and the key after encrypted by the CMK (the ciphertext key). Decrypt() can then used to decrypt the ciphertext key. We could use the KMS data key as our data key, but on PD restart we would need to decrypt the data keys one by one, and AWS KMS doesn't provide a batch API. Instead we use the KMS data key as our master key. So here's another layer of envelope encryption.

KMS CMK (hold by KMS, never exposed to us)
↓ encrypts
KMS data key (a.k.a PD master key)
↓ encrypts
PD data key

When PD persist data keys (after key rotation):

1. Call GenerateDataKey to obtain a new KMS data key (plaintext and ciphertext key pair), use it to encrypt the PD data keys
2. Store the encrypted data keys to etcd, along with the ciphertext key returned by KMS. discard the plaintext key.

When PD restart, or is notified of change to the keys through watcher:

1. load the encrypted data keys from etcd, which contains the ciphertext key.
2. call Decrypt to restore plaintext KMS data key from the ciphertext key.
3. decrypt PD data keys using the plaintext key.

This PR only support AWS KMS, but in the future we need to support other KMS services (e.g. GCP KMS). The vender field in encryptionpb.MasterKey is used for forward compatibility - we will fail if the field is not "AWS".

Check List

Tests

• New unit test
• Manual test with sysbench on a tidb cluster, with KMS key.

Related changes

• part 1 security: Encrypt region boundary keys, Part 1 - helper functions #2931, part 2 security: Encrypt region boundary keys, Part 2 - server changes #2976, part 3 security: Encrypt region boundary keys, Part 3 - key manager #3060

Release note

• No release note

[HunDunDM]

/run-all-tests

[Yisaer]

LGTM

[Yisaer]

/merge

[ti-chi-bot]

@Yisaer: It seems you want to merge this PR, I will help you trigger all the tests:

/run-all-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the tidb-community-bots/prow-config repository.

[ti-chi-bot]

@Yisaer: adding 'status/can-merge' to this PR must have 2 LGTMs

In response to this:

/merge

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the tidb-community-bots/prow-config repository.

[Yisaer]

LGTM

[Yisaer]

/merge

[ti-chi-bot]

@Yisaer: It seems you want to merge this PR, I will help you trigger all the tests:

/run-all-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the tidb-community-bots/prow-config repository.

[ti-chi-bot]

Can merge label has been added.

Git tree hash: 7480d5d

[yiwu-arbug]

/merge

[ti-chi-bot]

@yiwu-arbug: It seems you want to merge this PR, I will help you trigger all the tests:

/run-all-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the tidb-community-bots/prow-config repository.

[ti-chi-bot]

@yiwu-arbug: you cannot merge your own PR.

In response to this:

/merge

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the tidb-community-bots/prow-config repository.

[HunDunDM]

/run-integration-ddl-test

[HunDunDM]

/merge

[ti-chi-bot]

@HunDunDM: It seems you want to merge this PR, I will help you trigger all the tests:

/run-all-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the tidb-community-bots/prow-config repository.

[HunDunDM]

/run-integration-lightning-test