-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Design Proposal] Client Side Encryption in OpenSearch #6633
Comments
Tagging @elfisher @muralikpbhat @reta @mch2 @dreamer-89 @andrross @Bukhtawar @sachinpkale @itiyamas @dblock @shwetathareja @saratvemulapalli @ashking94 for feedback. Pls do tag others who can review this. |
This looks sound. Could you please provide a bit of information on 1) key rotation, 2) using multiple keys, 3) interactions with snapshots? |
@dblock I have intentionally left this out because I am thinking of exposing key provider as an extension of the core plugin (3rd point of High Level Design under crypto support). With this approach, any type of key providers can be plugged in such as KMS key based provider with 7 days of key rotation policy. So, the responsibility of this plugin becomes solely to encrypt or decrypt content given a data key. |
@vikasvb90 Makes a lot of sense. Do we have a proposal for a KMS provider yet? |
This doc proposes low level design details to provide client side encryption in OpenSearch. For more information about the feature goals, please refer the Feature Doc.
High Level Details
Following are some high level steps involved in encryption and decryption:
Crypto support can therefore be designed into 3 parts :
Architecture
Low Level Details
This plugin should work on top of InputStream(s) and should wrap the provided InputStream(s) with it’s own stream(s) responsible for encryption or decryption of the read buffer. This will allow caller to further decorate the stream for any other processing work needed to be done on the read buffer.
Plugin shouldn’t depend on the type of content to be encrypted or decrypted and should function independently. No context of segements, translogs or Lucene directories should be present within the plugin.
We propose the following capabilities for the plugin :
Encryption of entire file referenced by a stream
A mandatory feature offered by the plugin to provide an encrypting stream supplier responsible for supplying raw input stream wrapped with encrypting input stream.
Decryption of entire file referenced by a stream
A mandatory feature offered by the plugin to provide a decrypting stream supplier responsible for supplying raw input stream wrapped with decrypting input stream.
Estimation of total length of the encrypted content
In some cases like remote transfers of data it is essential to know the length of the content before actually processing the content. To support such cases, plugin should support pre-computation of length of the encrypted stream.
Encryption/Decryption of a particular part of a file referenced by a stream
There can be cases where encryption or decryption of only a portion of the content is required. Plugin can provide capability to support such cases. These can be optional features supported by the plugin and methods can be exposed to indicate if these features are supported.
Estimation of sizes of different parts of the encrypted or decrypted content of the file being streamed
To support encryption/decryption of partial content, determining size of the content to be encrypted or decrypted becomes essential in some scenarios. If plugin supports processing partial content then this becomes a mandatory feature to be supported in the plugin.
Performance Results
On carrying out some performance runs on POC code providing capability of encrypt and upload operation of multiple parts of a file in parallel, we obtained following results :
Note: Observations below are taken from prolonged runs (>15min) of repeated transfer of a file.
Instance Type : m5.2xlarge
Without encryption
With encryption
Observations
Following can be deduced from the tables :
The text was updated successfully, but these errors were encountered: