Package org.gridgain.internal.encryption

Interface DataEncryptionKeyManager

All Superinterfaces:
org.apache.ignite.internal.lang.Debuggable, org.apache.ignite.internal.manager.IgniteComponent
public interface DataEncryptionKeyManager extends org.apache.ignite.internal.manager.IgniteComponent
Data encryption key manager with chain mechanism.

This manager organizes Data Encryption Keys (DEKs) into chains, where each chain represents a logical grouping of keys with a specific purpose (e.g., table encryption, cache encryption). Each key chain maintains multiple keys over time, with one key designated as active for new encryption operations. This design supports key rotation while maintaining access to historical keys for decrypting existing data.

Key chains provide isolation between different encrypted entities and enable independent key rotation policies. All keys within a chain share the same encryption provider configuration.

  • Field Summary

    Fields inherited from interface org.apache.ignite.internal.lang.Debuggable

    INDENTATION

  • Method Summary

    Modifier and Type
    Method
    Description
    DataEncryptionKey
    activeKey(String chainId)
    Returns active key for provided chain identifier.
    void
    addKey(String chainId, DataEncryptionKey newKey)
    Adds new data encryption key to chain with provided identifier.
    void
    changeActiveKey(String chainId, int keyId)
    Changes active data encryption key to key with provided identifier in key chain.
    boolean
    createKeyChain(String chainId, DataEncryptionKey key, @Nullable String providerName)
    Creates new key chain with provided identifier and store key as active.
    DataEncryptionKey
    getKey(String chainId, int keyId)
    Returns key with provided key identifier from chain with provided identifier.
    boolean
    keyChainExists(String chainId)
    Returns true if chain with provided identifier exists or false if not.
    void
    registerRotationListener(DekRotationListener listener)
    Registers a listener to receive notifications about DEK rotation events.
    void
    remove(String chainId)
    Removes key chain.
    void
    rotateKey(String chainId)
    Initiates a key rotation operation for the specified key chain.
    void
    unregisterRotationListener(DekRotationListener listener)
    Unregisters a previously registered DEK rotation listener.

    Methods inherited from interface org.apache.ignite.internal.lang.Debuggable

    dumpState

    Methods inherited from interface org.apache.ignite.internal.manager.IgniteComponent

    beforeNodeStop, startAsync, stopAsync, stopAsync

  • Method Details

    • createKeyChain

      boolean createKeyChain(String chainId, DataEncryptionKey key, @Nullable @Nullable String providerName)
      Creates new key chain with provided identifier and store key as active. Provider name using to encrypt.
      Parameters:
      chainId - Key chain identifier.
      key - Data encryption key.
      providerName - Encryption provider name.
      Returns:
      true if key chain is created and false in case when chain with chainId already exists.

    • activeKey

      DataEncryptionKey activeKey(String chainId)
      Returns active key for provided chain identifier.
      Parameters:
      chainId - Chain identifier.

    • getKey

      DataEncryptionKey getKey(String chainId, int keyId)
      Returns key with provided key identifier from chain with provided identifier.
      Parameters:
      chainId - Chain identifier.
      keyId - Key identifier.

    • keyChainExists

      boolean keyChainExists(String chainId)
      Returns true if chain with provided identifier exists or false if not.
      Parameters:
      chainId - Chain identifier.

    • addKey

      void addKey(String chainId, DataEncryptionKey newKey)
      Adds new data encryption key to chain with provided identifier.
      Parameters:
      chainId - Chain identifier.
      newKey - Data encryption key.

    • changeActiveKey

      void changeActiveKey(String chainId, int keyId)
      Changes active data encryption key to key with provided identifier in key chain.
      Parameters:
      chainId - Chain identifier.
      keyId - Key identifier.

    • remove

      void remove(String chainId)
      Removes key chain.
      Parameters:
      chainId - Chain identifier.

    • rotateKey

      void rotateKey(String chainId)
      Initiates a key rotation operation for the specified key chain.

      This method generates a new Data Encryption Key (DEK) and adds it to the chain, then sets it as the active key. After rotation, new encryption operations will use the new key, while the previous keys remain available for decrypting existing data.

      The rotation process triggers notifications to all registered DekRotationListener instances, allowing dependent components to react to the key change, such as initiating re-encryption of existing data.

      Parameters:
      chainId - The identifier of the key chain to rotate.

    • registerRotationListener

      void registerRotationListener(DekRotationListener listener)
      Registers a listener to receive notifications about DEK rotation events.

      The listener will be notified when key rotation operations are completed for any key chain managed by this manager. This allows components to react to key changes, such as triggering re-encryption of data or updating cached keys.

      Parameters:
      listener - The listener to register. Must not be null.
      See Also:

    • unregisterRotationListener

      void unregisterRotationListener(DekRotationListener listener)
      Unregisters a previously registered DEK rotation listener.

      After unregistration, the listener will no longer receive notifications about key rotation events. If the listener was not previously registered, this method has no effect.

      Parameters:
      listener - The listener to unregister. Must not be null.
      See Also: