Add encryption-at-rest document #3928
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomShawn
added
translation/from-docs
ran-huang
reviewed
Jul 9, 2020
|
@TomShawn @ran-huang great thanks for helping! |
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
encryption-at-rest.md
Outdated
|
|
||
| 数据密钥由 TiKV 生成并传递给底层存储引擎(即 RocksDB)。RocksDB 写入的所有文件,包括 SST 文件,WAL 文件和 MANIFEST 文件,均由当前数据密钥加密。TiKV 使用的其他临时文件(可能包括用户数据)也由相同的数据密钥加密。默认情况下,TiKV 每周自动轮换数据密钥,但是该时间段是可配置的。密钥轮换时,TiKV 不会重写全部现有文件来替换密钥,但如果集群的写入量恒定,则 RocksDB 压缩会将带有最新数据密钥的旧数据重写进新数据文件。TiKV 跟踪密钥和加密方法,并使用密钥信息对读取的内容进行解密。 | ||
|
|
||
| 无论采用哪种数据加密方法,数据密钥都使用 AES256 在 GCM 模式下进行加密,以进行其他身份验证。所以使用文件而不是 KMS 传递密钥时,主密钥必须为 256位(32字节)。 |
There was a problem hiding this comment.
Suggested change
| 无论采用哪种数据加密方法,数据密钥都使用 AES256 在 GCM 模式下进行加密,以进行其他身份验证。所以使用文件而不是 KMS 传递密钥时,主密钥必须为 256位(32字节)。 | |
| 无论用户配置了哪种数据加密方法,数据密钥都使用 AES256-GCM 算法进行加密,以方便对主密钥进行验证。所以当使用文件而不是 KMS 方式指定主密钥时,主密钥必须为 256位(32字节)。 |
yiwu-arbug
reviewed
Jul 9, 2020
encryption-at-rest.md
Outdated
| data-key-rotation-period = 7d | ||
| ``` | ||
|
|
||
| `data-encryption-method` 的可选值为 `aes128-ctr`、`aes192-ctr`、`aes256-ctr` 和 `plaintext`。默认值为 `plaintext`,即默认不开启加密功能。`data-key-rotation-period` 指定 TiKV 轮换密钥的频率。可以为新 TiKV 群集或现有 TiKV 群集开启加密,尽管只保证启用后写入的数据才能被加密。要禁用加密,请在配置文件中删除 `data-encryption-method`,或将该参数值为 `plaintext`,然后重启 TiKV。 |
There was a problem hiding this comment.
Suggested change
| `data-encryption-method` 的可选值为 `aes128-ctr`、`aes192-ctr`、`aes256-ctr` 和 `plaintext`。默认值为 `plaintext`,即默认不开启加密功能。`data-key-rotation-period` 指定 TiKV 轮换密钥的频率。可以为新 TiKV 群集或现有 TiKV 群集开启加密,尽管只保证启用后写入的数据才能被加密。要禁用加密,请在配置文件中删除 `data-encryption-method`,或将该参数值为 `plaintext`,然后重启 TiKV。 | |
| `data-encryption-method` 的可选值为 `aes128-ctr`、`aes192-ctr`、`aes256-ctr` 和 `plaintext`。默认值为 `plaintext`,即默认不开启加密功能。`data-key-rotation-period` 指定 TiKV 轮换密钥的频率。可以为新 TiKV 群集或现有 TiKV 群集开启加密,但只有启用后写入的数据才保证被加密。要禁用加密,请在配置文件中删除 `data-encryption-method`,或将该参数值为 `plaintext`,然后重启 TiKV。 |
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
encryption-at-rest.md
Outdated
|
|
||
| `data-encryption-method` 的可选值为 `aes128-ctr`、`aes192-ctr`、`aes256-ctr` 和 `plaintext`。默认值为 `plaintext`,即默认不开启加密功能。`data-key-rotation-period` 指定 TiKV 轮换密钥的频率。可以为新 TiKV 群集或现有 TiKV 群集开启加密,尽管只保证启用后写入的数据才能被加密。要禁用加密,请在配置文件中删除 `data-encryption-method`,或将该参数值为 `plaintext`,然后重启 TiKV。 | ||
|
|
||
| 如果启用了加密(即 `data-encryption-method` 的值不是 `plaintext`),则必须指定主密钥。要将 AWS KMS CMK 指定为主密钥,请在`[security.encryption]` 部分之后添加 `[security.encryption.master-key]` 部分: |
There was a problem hiding this comment.
Suggested change
| 如果启用了加密(即 `data-encryption-method` 的值不是 `plaintext`),则必须指定主密钥。要将 AWS KMS CMK 指定为主密钥,请在`[security.encryption]` 部分之后添加 `[security.encryption.master-key]` 部分: | |
| 如果启用了加密(即 `data-encryption-method` 的值不是 `plaintext`),则必须指定主密钥。要使用 AWS KMS 方式指定为主密钥,请在`[security.encryption]` 部分之后添加 `[security.encryption.master-key]` 部分: |
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
yiwu-arbug
reviewed
Jul 9, 2020
@yiwu-arbug Do you mean adding a link to encryption-at-rest.md in what's new in 4.0 L84? |
yes. I deleted it in #3622. Let's add it back now. |
|
@ran-huang, @yiwu-arbug, PTAL. |
|
@yiwu-arbug All comments are addressed. PTAL again, thanks! |
|
|
@yiwu-arbug PTAL |
ran-huang
approved these changes
Jul 13, 2020
ti-srebot
approved these changes
Jul 13, 2020
|
@yiwu-arbug,Thanks for your review. However, LGTM is restricted to Reviewers or higher roles.See the corresponding SIG page for more information. Related SIGs: docs(slack). |
TomShawn
commented
Jul 14, 2020
TomShawn
added
the
status/can-merge
|
@TomShawn Oops! This PR requires at least 2 LGTMs to merge. The current number of |
TomShawn
added
require-LGT1
|
/run-all-tests |
ti-srebot
pushed a commit
to ti-srebot/docs-cn
that referenced
this pull request
Jul 14, 2020
Signed-off-by: ti-srebot <[email protected]>
5 tasks
|
cherry pick to release-4.0 in PR #3964 |
TomShawn
added a commit
that referenced
this pull request
Jul 14, 2020
Signed-off-by: ti-srebot <[email protected]> Co-authored-by: TomShawn <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
What is the related PR or file link(s)?