-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Storage Engines - Foundations
-
SE Foundations - Q4+ Backlog
-
8
Identified while looking with shreyas.kalyan@mongodb.com. PALI automatically encrypt/decrypts all data that comes in through pl_handle_put or pl_handle_get.
auto swEncryptedBody = encryptor->encrypt(std::move(encryptParams));
if (!swEncryptedBody.isOK()) {
LOGV2_FATAL_NOTRACE(
10985449,
"paliPhylogInsert: Failed to encrypt log entry to send to pageLogProvider",
"function"_attr = func,
"tableId"_attr = tableId,
"pageId"_attr = pageId,
"backlinkLSN"_attr = backlinkLsn,
"baseLSN"_attr = baseLsn,
"updateType"_attr = pageservice::v1::UpdateType_Name(updateType),
"size"_attr = buf ? buf->size : 0,
"rawSize"_attr = rawSizeOpt.get_value_or(-1),
"error"_attr = swEncryptedBody.getStatus());
}
WiredTiger has the key provider and shared turtle tables that needs to bypass this encryption. Having an encrypted shared key provider table means that we can't startup the database again as we don't have the original KEK anymore.
Solution
Have PALI call rely on a flag to determine whether to encrypt or not. WiredTiger has WT_PAGE_LOG_ENCRYPTED that we can both bandwagon for this functionality.