8000 Encryption key rotation by graetzer · Pull Request #11080 · arangodb/arangodb · GitHub
[go: up one dir, main page]
Skip to content

Encryption key rotation #11080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Mar 13, 2020
Merged

Encryption key rotation #11080

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
caa5a8c
Encryption key rotation
graetzer Feb 4, 2020
66173c5
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
graetzer Feb 11, 2020
e7331ad
fix log id
graetzer Feb 11, 2020
0b04bce
change some stuff
graetzer Feb 11, 2020
dec595c
add testing for re-encryption
graetzer Feb 12, 2020
955fb0c
fix community builds
graetzer Feb 12, 2020
d8615ca
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
graetzer Feb 12, 2020
45346a4
fix some stuff
graetzer Feb 12, 2020
df1d07a
Add DocuBlock for /_admin/server/encryption
Simran-B Feb 18, 2020
dbd3f32
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
graetzer Mar 9, 2020
212c209
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
graetzer Mar 10, 2020
3518507
adding rocksdb.encryption-keyfolder
graetzer Mar 11, 2020
f2c1f04
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
graetzer Mar 11, 2020
5ed670e
fix warning on gcc
graetzer Mar 12, 2020
4d07d2a
fix win32
graetzer Mar 13, 2020
283a70a
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
jsteemann Mar 13, 2020
e128db1
remove commented out code
jsteemann Mar 13, 2020
d791cf1
Merge branch 'devel' of github.com:arangodb/arangodb into feature/enc…
jsteemann Mar 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Encryption key rotation
  • Loading branch information
@graetzer
graetzer committed Feb 4, 2020
commit caa5a8c23d9f955af2c6bb7620cee5b62acae7c3
6 changes: 6 additions & 0 deletions arangod/RestHandler/RestAdminServerHandler.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ RestStatus RestAdminServerHandler::execute() {
handleTLS();
} else if (suffixes.size() == 1 && suffixes[0] == "jwt") {
handleJWTSecretsReload();
} else if (suffixes.size() == 1 && suffixes[0] == "encryption") {
handleEncryptionKeyRotation();
} else {
generateError(rest::ResponseCode::NOT_FOUND, TRI_ERROR_HTTP_NOT_FOUND);
}
Expand Down Expand Up @@ -256,4 +258,8 @@ void RestAdminServerHandler::handleTLS() {
void RestAdminServerHandler::handleJWTSecretsReload() {
generateError(rest::ResponseCode::NOT_FOUND, TRI_ERROR_HTTP_NOT_FOUND);
}

void RestAdminServerHandler::handleEncryptionKeyRotation() {
generateError(rest::ResponseCode::NOT_FOUND, TRI_ERROR_HTTP_NOT_FOUND);
}
#endif
1 change: 1 addition & 0 deletions arangod/RestHandler/RestAdminServerHandler.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ class RestAdminServerHandler : public RestBaseHandler {
void writeModeResult(bool);

void handleJWTSecretsReload();
void handleEncryptionKeyRotation();
};
} // namespace arangodb

Expand Down
7 changes: 7 additions & 0 deletions arangod/RocksDBEngine/RocksDBEngine.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ 10000 -350,11 +350,18 @@ class RocksDBEngine final : public StorageEngine {
void startEnterprise();
void configureEnterpriseRocksDBOptions(rocksdb::Options& options);
void validateJournalFiles() const;

Result readUserEncryptionIV(std::string& out);

enterprise::RocksDBEngineEEData _eeData;

public:
std::string const& getEncryptionKey();

std::string const& getEncryptedIVFile();

Result rotateEncryptionKey();

#endif
private:
// activate generation of SHA256 files to parallel .sst files
Expand Down
2 changes: 1 addition & 1 deletion lib/Basics/StringUtils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ static inline char tolower(char c) {
}

static inline unsigned char tolower(unsigned char c) {
return c + ((c - 65U < 26U) << 5);
return static_cast<unsigned char>(c + ((c - 65U < 26U) << 5));
}

static inline char toupper(char c) {
Expand Down
2 changes: 0 additions & 2 deletions lib/Basics/VelocyPackHelper.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,6 @@
#include "Basics/memory.h"
#include "Basics/system-compiler.h"
#include "Logger/LogMacros.h"
#include "Logger/Logger.h"
#include "Logger/LoggerStream.h"

extern "C" {
unsigned long long XXH64(const void* input, size_t length, unsigned long long seed);
Expand Down
22 changes: 14 additions & 8 deletions lib/V8/v8-buffer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -712,7 +712,8 @@ void V8Buffer::replace(v8::Isolate* isolate, char* data, size_t length,
memcpy(_data, data, _length);
}

isolate->AdjustAmountOfExternalAllocatedMemory(sizeof(V8Buffer) + _length + SAFETY_OVERHEAD);
int64_t bytesToChange = (int64_t)(sizeof(V8Buffer) + _length + SAFETY_OVERHEAD);
isolate->AdjustAmountOfExternalAllocatedMemory(bytesToChange);
} else {
_data = NULL;
}
Expand Down Expand Up @@ -808,9 +809,12 @@ static void JS_Ucs2Slice(v8::FunctionCallbackInfo<v8::Value> const& args) {
if (!sliceArgs(isolate, args[0], args[1], parent, start, end)) {
return;
}

std::vector<uint16_t> buffer;
buffer.resize((end - start) / 2);
memcpy(buffer.data(), parent->_data + start, (end - start));

uint16_t* data = (uint16_t*)(parent->_data + start);
TRI_V8_RETURN(TRI_V8_STRING_UTF16(isolate, data, (end - start) / 2));
TRI_V8_RETURN(TRI_V8_STRING_UTF16(isolate, buffer.data(), buffer.size()));
}

////////////////////////////////////////////////////////////////////////////////
Expand All @@ -829,7 +833,7 @@ static void JS_HexSlice(v8::FunctionCallbackInfo<v8::Value> const& args) {
}

char* src = parent->_data + start;
uint32_t dstlen = (end - start) * 2;
uint32_t dstlen = static_cast<size_t>(end - start) * 2;

if (dstlen == 0) {
TRI_V8_RETURN(v8::String::Empty(isolate));
Expand Down Expand Up @@ -948,7 +952,7 @@ static void JS_Fill(v8::FunctionCallbackInfo<v8::Value> const& args) {
return;
}

memset((void*)(parent->_data + start), value, end - start);
memset((void*)(parent->_data + start), value, static_cast<size_t>(end - start));

TRI_V8_RETURN_UNDEFINED();
}
Expand Down Expand Up @@ -1079,11 +1083,13 @@ static void JS_Ucs2Write(v8::FunctionCallbackInfo<v8::Value> const& args) {
: TRI_GET_UINT32(args[2]);

max_length = MIN(buffer->_length - offset, max_length) / 2;

uint16_t* p = (uint16_t*)(buffer->_data + offset);

std::vector<uint16_t> ucs2;
ucs2.resize(max_length);
memcpy(ucs2.data(), buffer->_data + offset, max_length);

int written =
s->Write(isolate, p, 0, (int)max_length,
s->Write(isolate, ucs2.data(), 0, (int)max_length,
(v8::String::HINT_MANY_WRITES_EXPECTED | v8::String::NO_NULL_TERMINATION));

TRI_V8_RETURN(v8::Integer::New(isolate, written * 2));
Expand Down
1 change: 0 additions & 1 deletion lib/V8/v8-utils.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2063,7 +2063,6 @@ static void JS_Load(v8::FunctionCallbackInfo<v8::Value> const& args) {
TRI_V8_LOG_THROW_EXCEPTION(tryCatch);
} else {
tryCatch.ReThrow();
TRI_GET_GLOBALS();
v8g->_canceled = true;
TRI_V8_RETURN_UNDEFINED();
}
Expand Down
0