Skip to content

Use AES key per stream #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use AES key per stream #77

wants to merge 1 commit into from

Conversation

@willyborankin
Copy link
Collaborator

@willyborankin willyborankin commented Aug 18, 2023

Switched to use AES key for each stream which brings key auto-rotation

@willyborankin willyborankin requested a review from reta August 18, 2023 09:41
@willyborankin willyborankin mentioned this pull request Sep 18, 2023
Closed
@pmarjou22
Copy link

pmarjou22 commented Nov 6, 2023
edited
Loading

Hello @willyborankin, Is this change backward compatible with snapshots created with previous version of the plugin ? We have taken this change and built a version of the plugin for opensearch 2.10.0. Once we upgraded opensearch, we cannot access previously created snapshots :

GET _snapshot/s3-repositoryencr/_all

{
  "error": {
    "root_cause": [
      {
        "type": "data_length_exception",
        "reason": "data_length_exception: input too large for RSA cipher."
      }
    ],
    "type": "repository_exception",
    "reason": "[s3-repositoryencr] Unexpected exception when loading repository data",
    "caused_by": {
      "type": "data_length_exception",
      "reason": "data_length_exception: input too large for RSA cipher."
    }
  },
  "status": 500
}

2023-11-06 15:37:52 | org.opensearch.transport.RemoteTransportException: [ES_MASTERHA_0][xxxxxxxxxxx:9300][cluster:admin/snapshot/get] Caused by: org.opensearch.repositories.RepositoryException: [s3-repositoryencr] Unexpected exception when loading repository data at org.opensearch.repositories.blobstore.BlobStoreRepository.doGetRepositoryData(BlobStoreRepository.java:2066) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:89) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) ~[opensearch-2.10.0.jar:2.10.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?] at java.lang.Thread.run(Thread.java:833) [?:?] Caused by: org.opensearch.core.common.io.stream.NotSerializableExceptionWrapper: data_length_exception: input too large for RSA cipher. at org.bouncycastle.crypto.engines.RSACoreEngine.convertInput(Unknown Source) ~[?:?] at org.bouncycastle.crypto.engines.RSABlindedEngine.processBlock(Unknown Source) ~[?:?] at org.bouncycastle.crypto.encodings.OAEPEncoding.decodeBlock(Unknown Source) ~[?:?] at org.bouncycastle.crypto.encodings.OAEPEncoding.processBlock(Unknown Source) ~[?:?] at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.getOutput(Unknown Source) ~[?:?] at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.engineDoFinal(Unknown Source) ~[?:?] at javax.crypto.Cipher.doFinal(Cipher.java:2205) ~[?:?] at org.opensearch.repository.encrypted.security.EncryptionDataSerializer.decrypt(EncryptionDataSerializer.java:103) ~[?:?] at org.opensearch.repository.encrypted.security.EncryptionDataSerializer.lambda$deserialize$1(EncryptionDataSerializer.java:81) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?] at org.opensearch.repository.encrypted.Permissions.doPrivileged(Permissions.java:21) ~[?:?] at org.opensearch.repository.encrypted.security.EncryptionDataSerializer.deserialize(EncryptionDataSerializer.java:70) ~[?:?] at org.opensearch.repository.encrypted.security.CryptoIO.lambda$decrypt$1(CryptoIO.java:58) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?] at org.opensearch.repository.encrypted.Permissions.doPrivileged(Permissions.java:21) ~[?:?] at org.opensearch.repository.encrypted.security.CryptoIO.decrypt(CryptoIO.java:56) ~[?:?] at org.opensearch.repository.encrypted.EncryptedBlobContainer.readBlob(EncryptedBlobContainer.java:39) ~[?:?] at org.opensearch.repositories.blobstore.BlobStoreRepository.getRepositoryData(BlobStoreRepository.java:2217) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.repositories.blobstore.BlobStoreRepository.doGetRepositoryData(BlobStoreRepository.java:2028) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:89) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) ~[opensearch-2.10.0.jar:2.10.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?] at java.lang.Thread.run(Thread.java:833) ~[?:?]

@willyborankin
Copy link
Collaborator Author

willyborankin commented Nov 6, 2023
edited
Loading

Nope this is the reason why we haven't merged it yet. :-). Technically it is possible to do but unfortunately i did not have time to finish it.

@willyborankin
Use AES key per stream
57e33e0 
Switched to use AES key for each stream which brings key auto-rotation

Signed-off-by: Andrey Pleskach <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reta reta Awaiting requested review from reta

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@willyborankin @pmarjou22