wbtiger
/
foundationdb
mirror of https://github.com/apple/foundationdb.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
foundationdb/fdbserver/workloads/EncryptionOps.actor.cpp

326 lines
12 KiB
C++
Raw Normal View History

Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
/*
* EncryptionOps.actor.cpp
*
* This source file is part of the FoundationDB open source project
*
Update copyright header dates
2022-03-22 04:36:23 +08:00
* Copyright 2013-2022 Apple Inc. and the FoundationDB project authors
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "fdbclient/DatabaseContext.h"
#include "fdbclient/NativeAPI.actor.h"
#include "flow/IRandom.h"
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
#include "flow/BlobCipher.h"
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
#include "fdbserver/workloads/workloads.actor.h"
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
#include "flow/ITrace.h"
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
#include "flow/Trace.h"
#include <chrono>
#include <cstring>
#include <memory>
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
#include <random>
#include "flow/actorcompiler.h" // This must be the last #include.
#if ENCRYPTION_ENABLED
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
#define MEGA_BYTES (1024 * 1024)
#define NANO_SECOND (1000 * 1000 * 1000)
struct WorkloadMetrics {
double totalEncryptTimeNS;
double totalDecryptTimeNS;
double totalKeyDerivationTimeNS;
int64_t totalBytes;
void reset() {
totalEncryptTimeNS = 0;
totalDecryptTimeNS = 0;
totalKeyDerivationTimeNS = 0;
totalBytes = 0;
}
WorkloadMetrics() { reset(); }
double computeEncryptThroughputMBPS() {
// convert bytes -> MBs & nano-seonds -> seconds
return (totalBytes * NANO_SECOND) / (totalEncryptTimeNS * MEGA_BYTES);
}
double computeDecryptThroughputMBPS() {
// convert bytes -> MBs & nano-seonds -> seconds
return (totalBytes * NANO_SECOND) / (totalDecryptTimeNS * MEGA_BYTES);
}
void updateKeyDerivationTime(double val) { totalKeyDerivationTimeNS += val; }
void updateEncryptionTime(double val) { totalEncryptTimeNS += val; }
void updateDecryptionTime(double val) { totalDecryptTimeNS += val; }
void updateBytes(int64_t val) { totalBytes += val; }
void recordMetrics(const std::string& mode, const int numIterations) {
TraceEvent("EncryptionOpsWorkload")
.detail("Mode", mode)
.detail("EncryptTimeMS", totalEncryptTimeNS / 1000)
.detail("DecryptTimeMS", totalDecryptTimeNS / 1000)
.detail("EncryptMBPS", computeEncryptThroughputMBPS())
.detail("DecryptMBPS", computeDecryptThroughputMBPS())
.detail("KeyDerivationTimeMS", totalKeyDerivationTimeNS / 1000)
.detail("TotalBytes", totalBytes)
.detail("AvgCommitSize", totalBytes / numIterations);
}
};
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
// Workload generator for encryption/decryption operations.
// 1. For every client run, it generate unique random encryptionDomainId range and simulate encryption of
// either fixed size or variable size payload.
// 2. For each encryption run, it would interact with BlobCipherKeyCache to fetch the desired encryption key,
// which then is used for encrypting the plaintext payload.
// 3. Encryption operation generates 'encryption header', it is leveraged to decrypt the ciphertext obtained from
// step#2 (simulate real-world scenario)
//
// Correctness validations:
// -----------------------
// Correctness invariants are validated at various steps:
// 1. Encryption key correctness: as part of performing decryption, BlobCipherKeyCache lookup is done to procure
// desired encrytion key based on: {encryptionDomainId, baseCipherId}; the obtained key is validated against
// the encryption key used for encrypting the data.
// 2. After encryption, generated 'encryption header' fields are validated, encrypted buffer size and contents are
// validated.
// 3. After decryption, the obtained deciphertext is validated against the orginal plaintext payload.
//
// Performance metrics:
// -------------------
// The workload generator profiles below operations across the iterations and logs the details at the end, they are:
// 1. Time spent in encryption key fetch (and derivation) operations.
// 2. Time spent encrypting the buffer (doesn't incude key lookup time); also records the throughput in MB/sec.
// 3. Time spent decrypting the buffer (doesn't incude key lookup time); also records the throughput in MB/sec.
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
struct EncryptionOpsWorkload : TestWorkload {
int mode;
int64_t numIterations;
int pageSize;
int maxBufSize;
std::unique_ptr<uint8_t[]> buff;
Arena arena;
std::unique_ptr<WorkloadMetrics> metrics;
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
BlobCipherDomainId minDomainId;
BlobCipherDomainId maxDomainId;
BlobCipherBaseKeyId minBaseCipherId;
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
EncryptionOpsWorkload(WorkloadContext const& wcx) : TestWorkload(wcx) {
mode = getOption(options, LiteralStringRef("fixedSize"), 1);
numIterations = getOption(options, LiteralStringRef("numIterations"), 10);
pageSize = getOption(options, LiteralStringRef("pageSize"), 4096);
maxBufSize = getOption(options, LiteralStringRef("maxBufSize"), 512 * 1024);
buff = std::make_unique<uint8_t[]>(maxBufSize);
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
// assign unique encryptionDomainId range per workload clients
minDomainId = wcx.clientId * 100 + mode * 30 + 1;
maxDomainId = deterministicRandom()->randomInt(minDomainId, minDomainId + 10) + 5;
minBaseCipherId = 100;
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
metrics = std::make_unique<WorkloadMetrics>();
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
TraceEvent("EncryptionOpsWorkload")
.detail("Mode", getModeStr())
.detail("MinDomainId", minDomainId)
.detail("MaxDomainId", maxDomainId);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
}
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
~EncryptionOpsWorkload() { TraceEvent("EncryptionOpsWorkload_Done").log(); }
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
bool isFixedSizePayload() { return mode == 1; }
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
std::string getModeStr() const {
if (mode == 1) {
return "FixedSize";
} else if (mode == 0) {
return "VariableSize";
}
// no other mode supported
throw internal_error();
}
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
void generateRandomBaseCipher(const int maxLen, uint8_t* buff, int* retLen) {
memset(buff, 0, maxLen);
*retLen = deterministicRandom()->randomInt(maxLen / 2, maxLen);
generateRandomData(buff, *retLen);
}
void setupCipherEssentials() {
auto& cipherKeyCache = BlobCipherKeyCache::getInstance();
TraceEvent("SetupCipherEssentials_Start").detail("MinDomainId", minDomainId).detail("MaxDomainId", maxDomainId);
uint8_t buff[AES_256_KEY_LENGTH];
std::vector<Reference<BlobCipherKey>> cipherKeys;
for (BlobCipherDomainId id = minDomainId; id <= maxDomainId; id++) {
int cipherLen = 0;
generateRandomBaseCipher(AES_256_KEY_LENGTH, &buff[0], &cipherLen);
cipherKeyCache.insertCipherKey(id, minBaseCipherId, buff, cipherLen);
ASSERT(cipherLen > 0 && cipherLen <= AES_256_KEY_LENGTH);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
cipherKeys = cipherKeyCache.getAllCiphers(id);
ASSERT(cipherKeys.size() == 1);
}
TraceEvent("SetupCipherEssentials_Done").detail("MinDomainId", minDomainId).detail("MaxDomainId", maxDomainId);
}
void resetCipherEssentials() {
auto& cipherKeyCache = BlobCipherKeyCache::getInstance();
cipherKeyCache.cleanup();
TraceEvent("ResetCipherEssentials_Done").log();
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
}
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
void updateLatestBaseCipher(const BlobCipherDomainId encryptDomainId,
uint8_t* baseCipher,
int* baseCipherLen,
BlobCipherBaseKeyId* nextBaseCipherId) {
auto& cipherKeyCache = BlobCipherKeyCache::getInstance();
Reference<BlobCipherKey> cipherKey = cipherKeyCache.getLatestCipherKey(encryptDomainId);
*nextBaseCipherId = cipherKey->getBaseCipherId() + 1;
generateRandomBaseCipher(AES_256_KEY_LENGTH, baseCipher, baseCipherLen);
ASSERT(*baseCipherLen > 0 && *baseCipherLen <= AES_256_KEY_LENGTH);
TraceEvent("UpdateBaseCipher").detail("DomainId", encryptDomainId).detail("BaseCipherId", *nextBaseCipherId);
}
Reference<EncryptBuf> doEncryption(Reference<BlobCipherKey> key,
uint8_t* payload,
int len,
BlobCipherEncryptHeader* header) {
uint8_t iv[AES_256_IV_LENGTH];
generateRandomData(&iv[0], AES_256_IV_LENGTH);
EncryptBlobCipherAes265Ctr encryptor(key, &iv[0], AES_256_IV_LENGTH);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
auto start = std::chrono::high_resolution_clock::now();
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
Reference<EncryptBuf> encrypted = encryptor.encrypt(payload, len, header, arena);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
auto end = std::chrono::high_resolution_clock::now();
// validate encrypted buffer size and contents (not matching with plaintext)
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
ASSERT(encrypted->getLogicalSize() == len);
ASSERT(memcmp(encrypted->begin(), payload, len) != 0);
ASSERT(header->flags.headerVersion == EncryptBlobCipherAes265Ctr::ENCRYPT_HEADER_VERSION);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
metrics->updateEncryptionTime(std::chrono::duration<double, std::nano>(end - start).count());
return encrypted;
}
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
void doDecryption(Reference<EncryptBuf> encrypted,
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
int len,
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
const BlobCipherEncryptHeader& header,
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
uint8_t* originalPayload,
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
Reference<BlobCipherKey> orgCipherKey) {
ASSERT(header.flags.headerVersion == EncryptBlobCipherAes265Ctr::ENCRYPT_HEADER_VERSION);
ASSERT(header.flags.encryptMode == BLOB_CIPHER_ENCRYPT_MODE_AES_256_CTR);
auto& cipherKeyCache = BlobCipherKeyCache::getInstance();
Reference<BlobCipherKey> cipherKey = cipherKeyCache.getCipherKey(header.encryptDomainId, header.baseCipherId);
ASSERT(cipherKey.isValid());
ASSERT(cipherKey->isEqual(orgCipherKey));
DecryptBlobCipherAes256Ctr decryptor(cipherKey, &header.iv[0]);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
auto start = std::chrono::high_resolution_clock::now();
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
Reference<EncryptBuf> decrypted = decryptor.decrypt(encrypted->begin(), len, header, arena);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
auto end = std::chrono::high_resolution_clock::now();
// validate decrypted buffer size and contents (matching with original plaintext)
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
ASSERT(decrypted->getLogicalSize() == len);
ASSERT(memcmp(decrypted->begin(), originalPayload, len) == 0);
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
metrics->updateDecryptionTime(std::chrono::duration<double, std::nano>(end - start).count());
}
Future<Void> setup(Database const& ctx) override { return Void(); }
std::string description() const override { return "EncryptionOps"; }
Future<Void> start(Database const& cx) override {
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
uint8_t baseCipher[AES_256_KEY_LENGTH];
int baseCipherLen = 0;
BlobCipherBaseKeyId nextBaseCipherId;
// Setup encryptDomainIds and corresponding baseCipher details
setupCipherEssentials();
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
for (int i = 0; i < numIterations; i++) {
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
bool updateBaseCipher = deterministicRandom()->randomInt(1, 100) < 5;
// Step-1: Encryption key derivation, caching the cipher for later use
auto& cipherKeyCache = BlobCipherKeyCache::getInstance();
// randomly select a domainId
const BlobCipherDomainId encryptDomainId = deterministicRandom()->randomInt(minDomainId, maxDomainId);
ASSERT(encryptDomainId >= minDomainId && encryptDomainId <= maxDomainId);
if (updateBaseCipher) {
// simulate baseCipherId getting refreshed/updated
updateLatestBaseCipher(encryptDomainId, &baseCipher[0], &baseCipherLen, &nextBaseCipherId);
cipherKeyCache.insertCipherKey(encryptDomainId, nextBaseCipherId, &baseCipher[0], baseCipherLen);
}
auto start = std::chrono::high_resolution_clock::now();
Reference<BlobCipherKey> cipherKey = cipherKeyCache.getLatestCipherKey(encryptDomainId);
auto end = std::chrono::high_resolution_clock::now();
metrics->updateKeyDerivationTime(std::chrono::duration<double, std::nano>(end - start).count());
// Validate sanity of "getLatestCipher", especially when baseCipher gets updated
if (updateBaseCipher) {
ASSERT(cipherKey->getBaseCipherId() == nextBaseCipherId);
ASSERT(cipherKey->getBaseCipherLen() == baseCipherLen);
ASSERT(memcmp(cipherKey->rawBaseCipher(), baseCipher, baseCipherLen) == 0);
}
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
int dataLen = isFixedSizePayload() ? pageSize : deterministicRandom()->randomInt(100, maxBufSize);
generateRandomData(buff.get(), dataLen);
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
// Encrypt the payload - generates BlobCipherEncryptHeader to assist decryption later
BlobCipherEncryptHeader header;
try {
Reference<EncryptBuf> encrypted = doEncryption(cipherKey, buff.get(), dataLen, &header);
// Decrypt the payload - parses the BlobCipherEncryptHeader, fetch corresponding cipherKey and
// decrypt
doDecryption(encrypted, dataLen, header, buff.get(), cipherKey);
} catch (Error& e) {
TraceEvent("Failed")
.detail("DomainId", encryptDomainId)
.detail("BaseCipherId", cipherKey->getBaseCipherId());
throw;
}
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
metrics->updateBytes(dataLen);
}
Introduce BlobCipher interface and cipher caching interface (#6391) * Introduce BlobCipher interface and cipher caching interface diff-3: Update the code to avoid deriving encryption key periodically. Implement EncyrptBuf interface to limit memcpys. Improve both unit test and simulation to better code coverage. diff-2: Add specific error code for OpenSSL AES call failures diff-1: Update encryption scheme to AES-256-CTR. Minor updates to Header to capture more information. Major changes proposed are: 1. Introduce encyrption header format. 2. Introduce a BlobCipher cipher key representation encoding following information: baseCipher details, derived encryption cipher details, creationTime and random salt. 3. Introduce interface to support block cipher encrytion and decrytion operations. Encyrption populates encryption header allowing client to persist them on-disk, this header is then read allowing decryption on reads. 4. Introduce interface to allow in-memory caching of cipher keys. The cache allowing mapping of "encryption domain" -> "base cipher id" -> "derived cipher keys" (3D hash map). This cache interface will be used by FDB processes participating in encryption to cache recently used ciphers (performance optimization). Testing: 1. Unit test to validate caching interface. 2. Update EncryptionOps simulation test to validate block cipher operations.
2022-03-24 22:31:49 +08:00
// Cleanup cipherKeys
resetCipherEssentials();
Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor (#6314) * Upgrade AES 128 GCM -> AES 256, StreamCipher code refactor Major changes proposed are: 1. Refactor StreamCipher code to enable instantiation of multiple encryption keys. However, code still retains a globalEncryption key semantics used in Backup file encryption usecase. 2. Enhance StreamCipher to provide HMAC signature digest generation. Further, the class implements HMAC encryption key derivation function. 3. Upgrade StreamCipher to use AES 256 GCM mode from currently supported AES 128 GCM mode. Note: The code changes the encryption key size, however, the feature is NOT currently in use, hence, should be OK. 3. Add EncryptionOps validation and benchmark toml supported workload, it does the following: a. Allow user to configure encrypt-decrypt of a fixed size buffer or variable size buffer [100, 512K] b. Allow user to configure number of interactions of the runs, in each iteration: generate random data, derive an encryption key using HMAC SHA256 method, encrypt data and then decrypt data. It collects following metrics: i) time taken to derive encryption key. ii) time taken to encrypt the buffer. iii) time taken to decrypt the buffer. iv) total bytes encrypted and/or decrypted c. Along with stats it basic basic validations on the encrypted and decrypted buffer d. On completion for test, records the above mentioned metrics in trace files.
2022-02-01 09:52:44 +08:00
return Void();
}
Future<bool> check(Database const& cx) override { return true; }
void getMetrics(std::vector<PerfMetric>& m) override { metrics->recordMetrics(getModeStr(), numIterations); }
};
WorkloadFactory<EncryptionOpsWorkload> EncryptionOpsWorkloadFactory("EncryptionOps");
#endif // ENCRYPTION_ENABLED