Page History
Content can be stored encrypted in STageR . If enabled, STageR uses the aes-256-cbc algorithm, of the NodeJS crypto library, using an Initialization Vector (IV) and a Data Encryption Key (DEK) provided by a key manager. Content is encrypted at the scope level and an enckeyid tag is added to each encrypted content scope.
The option can be enabled/disabled per Storage Unit through the Administration API.
Code Block | ||||
---|---|---|---|---|
| ||||
PUT admin/enableContentEncryption/<storage-unit>/<true-false> |
A key manager is a pluggable module that provides data encryption keys (DEK) to the application. The internal implementation of the key manager is up to the users' needs. The module needs to provide a way to get a DEK given an enckeyid.
Code Block | ||||
---|---|---|---|---|
| ||||
var crypto = require('crypto') function basicKeyManager (options) { var masterKey if (!options.masterKey) { throw new Error('options.masterKey is required') } masterKey = options.masterKey return { generateiv: function () { // IV needs to be 16 bytes return crypto.randomBytes(16).toString('base64') }, generateKeyId: function () { return 'localKey' }, getDek: function (storageUnitName, key, callback) { if (key === 'localKey') { return callback(null, masterKey) } else { return callback(new Error('Invalid Dek key: ' + key)) } } } } module.exports = basicKeyManager |
Key Manager Implementation Options
STageR provides three base key manager implementations.
1 - Basic
Uses a single master DEK main DEK set as a configurable parameter.
Configuration:
Code Block | ||||
---|---|---|---|---|
| ||||
keyManager:{ type:'basic', basic:{ masterKey:'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMzI=' } } |
2 - File Based
Master keyMain key
A file containing a list of master main keys to encrypt the DEKs that will be used to encrypt content. There will be a finite number (configurable) of DEKs per Storage Unit that will be stored in a Mongo database (DEK). The DEK table will storage the encrypted DEK; the version of the master main key and the IV used to encrypt the DEK. The Master Main Key file location is set as a configurable parameter of this key manager.
File Example:
Code Block | ||||
---|---|---|---|---|
| ||||
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTE= 9 ?MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI 5 ?MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTM 7 |
Configuration:
Code Block | ||||
---|---|---|---|---|
| ||||
keyManager:{ type:'filebased', keysNumber: 1000, filebased:{ masterKeyLocation: 'config/MasterKey.txt' } } |
3 - Hadoop KMS
Uses Hadoop Key Management Server for DEK encryption. Based on a master main key from KMS, the key manager uses this to generate new keys that will be used to encrypt the DEKs. There will be a finite number (configurable) of DEKs per Storage Unit that will be stored in a Mongo database (DEK). The DEK table will store the encrypted DEK, the iv, the master main key and a proxy key/iv pair from KMS that were used to encrypt the DEK.
Configuration:
Code Block | ||||
---|---|---|---|---|
| ||||
keyManager:{ type:'clouderakms', keysNumber: 1000, clouderakms:{ masterKey:'master_key_1', server: 'server-name', port: '16000', user: 'hdfs', sslEnabled: true, sslOptions: { keyLocation: './config/sslcerts/kms/sr_client_key.pem', certLocation: './config/sslcerts/kms/sr_client_cert.crt', caLocation: './config/sslcerts/kms/cacert.pem', passphrase: 'sibiu7$', requestCert: true, rejectUnauthorized: true } } } |