Apache Ignite Documentation

GridGain Developer Hub - Apache Ignitetm

Welcome to the Apache Ignite developer hub run by GridGain. Here you'll find comprehensive guides and documentation to help you start working with Apache Ignite as quickly as possible, as well as support if you get stuck.

 

GridGain also provides Community Edition which is a distribution of Apache Ignite made available by GridGain. It is the fastest and easiest way to get started with Apache Ignite. The Community Edition is generally more stable than the Apache Ignite release available from the Apache Ignite website and may contain extra bug fixes and features that have not made it yet into the release on the Apache website.

 

Let's jump right in!

 

Documentation     Ask a Question     Download

 

Javadoc     Scaladoc     Examples

Transparent Data Encryption

Overview

Ignite 2.7 introduces transparent data encryption (TDE) which allows users to encrypt their data at rest.

When Ignite Persistence is turned on, encryption can be enabled per cache/table, in which case the following data will be encrypted:

  • Data on disk
  • WAL records

If you enable cache/table encryption, Ignite will generate a key (called cache encryption key) and will use this key to encrypt/decrypt the data of the cache. The cache encryption key is held in the system cache and cannot be accessed by users. When the key needs to be sent to other nodes or saved to disk (when the node goes down), it is encrypted using the user provided key—the master key.

The master key must be specified via the configuration in every server node.

Ignite uses JDK-provided encryption algorithms: "AES/CBC/PKCS5Padding" for WAL records encryption and "AES/CBC/NoPadding" for memory page encryption. To learn more about implementation details, see KeystoreEncryptionSpi.

Configuration

To enable encryption in the cluster, provide a master key in the configuration of each server node. A configuration example is shown below.

<bean id="ignite.cfg" class="org.apache.ignite.configuration.IgniteConfiguration"> 
    <!-- We need to configure EncryptionSpi to enable encryption feature. --> 
    <property name="encryptionSpi"> 
        <!-- Using EncryptionSpi implementation based on java keystore. --> 
        <bean class="org.apache.ignite.spi.encryption.keystore.KeystoreEncryptionSpi"> 
            <!-- Path to the keystore file. --> 
            <property name="keyStorePath" value="ignite_keystore.jks" /> 
            <!-- Password for keystore file. --> 
            <property name="keyStorePassword" value="mypassw0rd" /> 
            <!-- Name of the key in keystore to be used as a master key. --> 
            <property name="masterKeyName" value="ignite.master.key" /> 
            <!-- Size of the cache encryption keys in bits. Can be 128, 192, or 256 bits.--> 
            <property name="keySize" value="256" /> 
        </bean> 
    </property> 
    <!-- rest of configuration -->
</bean>
 
IgniteConfiguration cfg = new IgniteConfiguration(“encrypted-instance”); 

KeystoreEncryptionSpi encSpi = new KeystoreEncryptionSpi(); 

encSpi.setKeyStorePath("/home/user/ignite-keystore.jks”); 
encSpi.setKeyStorePassword("secret"); 

cfg.setEncryptionSpi(encSpi);
 

When the master key is set up, you can enable encryption for a cache as follows:

<bean id="cache.cfg" 
      class="org.apache.ignite.configuration.CacheConfiguration"> 
    <property name="name" value="encrypted-cache"/> 
    <property name="encryptionEnabled" value="true"/> 
</bean>
CacheConfiguration<Long, String> ccfg = new CacheConfiguration<Long, String>("encrypted-cache");

ccfg.setEncryptionEnabled(true);
 
ignite.createCache(ccfg);
 
CREATE TABLE encrypted(
  ID BIGINT, 
  NAME VARCHAR(10), 
  PRIMARY KEY (ID)) 
WITH "ENCRYPTED=true";

Master Key Generation Example

A keystore with a master key can be created using the keytool as follows:

user:~/tmp:[]$ java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

user:~/tmp:[]$ keytool -genseckey \
-alias ignite.master.key \
-keystore ./ignite_keystore.jks \
-storetype PKCS12 \
-keyalg aes \
-storepass mypassw0rd \
-keysize 256

user:~/tmp:[]$ keytool \
-storepass mypassw0rd \
-storetype PKCS12 \
-keystore ./ignite_keystore.jks \
-list

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

ignite.master.key, 07.11.2018, SecretKeyEntry, 

Source Code Example

Transparent Data Encryption


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.