diff --git a/fdbclient/BackupAgentBase.actor.cpp b/fdbclient/BackupAgentBase.actor.cpp index 94e88c215f..5d814f14b5 100644 --- a/fdbclient/BackupAgentBase.actor.cpp +++ b/fdbclient/BackupAgentBase.actor.cpp @@ -371,17 +371,9 @@ ACTOR static Future decodeBackupLogValue(Arena* arena, state EncryptCipherDomainId domainId = logValue.encryptDomainId(); Reference const> dbInfo = cx->clientInfo; try { - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - TextAndHeaderCipherKeys cipherKeys = - wait(GetEncryptCipherKeys::getEncryptCipherKeys( - dbInfo, logValue.configurableEncryptionHeader(), BlobCipherMetrics::RESTORE)); - logValue = logValue.decrypt(cipherKeys, tempArena, BlobCipherMetrics::RESTORE); - } else { - TextAndHeaderCipherKeys cipherKeys = - wait(GetEncryptCipherKeys::getEncryptCipherKeys( - dbInfo, *logValue.encryptionHeader(), BlobCipherMetrics::RESTORE)); - logValue = logValue.decrypt(cipherKeys, tempArena, BlobCipherMetrics::RESTORE); - } + TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys::getEncryptCipherKeys( + dbInfo, logValue.configurableEncryptionHeader(), BlobCipherMetrics::RESTORE)); + logValue = logValue.decrypt(cipherKeys, tempArena, BlobCipherMetrics::RESTORE); } catch (Error& e) { // It's possible a tenant was deleted and the encrypt key fetch failed TraceEvent(SevWarnAlways, "MutationLogRestoreEncryptKeyFetchFailed") diff --git a/fdbclient/BlobCipher.cpp b/fdbclient/BlobCipher.cpp index 3d43018e4c..fd1bab7444 100644 --- a/fdbclient/BlobCipher.cpp +++ b/fdbclient/BlobCipher.cpp @@ -61,8 +61,6 @@ namespace { void validateEncryptHeaderFlagVersion(const int flagsVersion) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - if (flagsVersion > CLIENT_KNOBS->ENCRYPT_HEADER_FLAGS_VERSION) { TraceEvent("EncryptHeaderUnsupportedFlagVersion") .detail("MaxSupportedVersion", CLIENT_KNOBS->ENCRYPT_HEADER_FLAGS_VERSION) @@ -75,8 +73,6 @@ void validateEncryptHeaderAlgoHeaderVersion(const EncryptCipherMode cipherMode, const EncryptAuthTokenMode authMode, const EncryptAuthTokenAlgo authAlgo, const int version) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - if (cipherMode != ENCRYPT_CIPHER_MODE_AES_256_CTR) { TraceEvent("EncryptHeaderUnsupportedEncryptCipherMode") .detail("MaxSupportedVersion", CLIENT_KNOBS->ENCRYPT_HEADER_FLAGS_VERSION) @@ -147,8 +143,6 @@ uint32_t BlobCipherEncryptHeaderRef::getHeaderSize(const int flagVersion, } const uint8_t* BlobCipherEncryptHeaderRef::getIV() const { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - validateEncryptHeaderFlagVersion(flagsVersion()); ASSERT_EQ(flagsVersion(), 1); @@ -167,8 +161,6 @@ template inline constexpr bool always_false_v = false; const EncryptHeaderCipherDetails BlobCipherEncryptHeaderRef::getCipherDetails() const { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - validateEncryptHeaderFlagVersion(flagsVersion()); ASSERT_EQ(flagsVersion(), 1); @@ -214,8 +206,6 @@ EncryptCipherDomainId BlobCipherEncryptHeaderRef::getDomainId() const { } EncryptHeaderCipherKCVs BlobCipherEncryptHeaderRef::getKCVs() const { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - validateEncryptHeaderFlagVersion(flagsVersion()); ASSERT_EQ(flagsVersion(), 1); @@ -246,8 +236,6 @@ void BlobCipherEncryptHeaderRef::validateEncryptionHeaderDetails(const BlobCiphe const BlobCipherDetails& headerCipherDetails, const EncryptHeaderCipherKCVs& kcvs, const StringRef& ivRef) const { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - validateEncryptHeaderFlagVersion(flagsVersion()); ASSERT_EQ(flagsVersion(), 1); @@ -2321,8 +2309,6 @@ void testNoAuthMode(const int minDomainId) { } void testConfigurableEncryptionBlobCipherHeaderFlagsV1Ser() { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - Arena arena; // Version-1 @@ -2333,8 +2319,6 @@ void testConfigurableEncryptionBlobCipherHeaderFlagsV1Ser() { } void testConfigurableEncryptionAesCtrNoAuthV1Ser(const int minDomainId) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - Arena arena; BlobCipherEncryptHeaderRef headerRef; uint32_t size = 0; @@ -2366,8 +2350,6 @@ void testConfigurableEncryptionAesCtrNoAuthV1Ser(const int minDomainId) { template void testConfigurableEncryptionAesCtrWithAuthSer(const int minDomainId) { constexpr bool isHmac = std::is_same_v; - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - Arena arena; BlobCipherEncryptHeaderRef headerRef; uint32_t size = 0; @@ -2402,8 +2384,6 @@ void testConfigurableEncryptionAesCtrWithAuthSer(const int minDomainId) { } void testConfigurableEncryptionHeaderNoAuthMode(const int minDomainId) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - TraceEvent("TestConfigurableEncryptionHeader").detail("Mode", "No-Auth"); Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); @@ -2461,8 +2441,6 @@ void testConfigurableEncryptionHeaderNoAuthMode(const int minDomainId) { } void testConfigurableEncryptionNoAuthMode(const int minDomainId) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - TraceEvent("TestConfigurableEncryptionNoAuthModeStart"); Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); @@ -2720,8 +2698,6 @@ void testSingleAuthMode(const int minDomainId) { template void testConfigurableEncryptionHeaderSingleAuthMode(int minDomainId) { constexpr bool isHmac = std::is_same_v; - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - TraceEvent("TestEncryptionHeaderStart").detail("Mode", isHmac ? "HMAC_SHA" : "AES-CMAC"); Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); @@ -2794,8 +2770,6 @@ void testConfigurableEncryptionSingleAuthMode(const int minDomainId) { const int algoHeaderVersion = isHmac ? CLIENT_KNOBS->ENCRYPT_HEADER_AES_CTR_HMAC_SHA_AUTH_VERSION : CLIENT_KNOBS->ENCRYPT_HEADER_AES_CTR_AES_CMAC_AUTH_VERSION; - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - TraceEvent("TestConfigurableEncryptionSingleAuthStart").detail("Mode", authAlgoStr); Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); @@ -3045,8 +3019,6 @@ void testEncryptInplaceSingleAuthMode(const int minDomainId) { } void testConfigurableEncryptionInvalidEncryptionKeyNoAuth(const int minDomainId) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - TraceEvent("TestConfigurableEncryptionInvalidEncryptKeyNoAuthStart"); Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); @@ -3108,8 +3080,6 @@ void testConfigurableEncryptionInvalidEncryptKeySingleAuthMode(const int minDoma const int algoHeaderVersion = isHmac ? CLIENT_KNOBS->ENCRYPT_HEADER_AES_CTR_HMAC_SHA_AUTH_VERSION : CLIENT_KNOBS->ENCRYPT_HEADER_AES_CTR_AES_CMAC_AUTH_VERSION; - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - TraceEvent("TestConfigurableEncryptionSingleAuthStart").detail("Mode", authAlgoStr); Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); @@ -3183,9 +3153,6 @@ void testConfigurableEncryptionInvalidEncryptKeySingleAuthMode(const int minDoma TEST_CASE("/blobCipher") { DomainKeyMap domainKeyMap; - auto& g_knobs = IKnobCollection::getMutableGlobalKnobCollection(); - g_knobs.setKnob("enable_configurable_encryption", KnobValueRef::create(bool{ true })); - const EncryptCipherDomainId minDomainId = 1; const EncryptCipherDomainId maxDomainId = deterministicRandom()->randomInt(minDomainId, minDomainId + 10) + 5; const EncryptCipherBaseKeyId minBaseCipherKeyId = 100; diff --git a/fdbclient/BlobGranuleFiles.cpp b/fdbclient/BlobGranuleFiles.cpp index 24063e62db..6b0647ee79 100644 --- a/fdbclient/BlobGranuleFiles.cpp +++ b/fdbclient/BlobGranuleFiles.cpp @@ -310,20 +310,12 @@ struct IndexBlockRef { AES_256_IV_LENGTH, getEncryptAuthTokenMode(EncryptAuthTokenMode::ENCRYPT_HEADER_AUTH_TOKEN_MODE_SINGLE), BlobCipherMetrics::BLOB_GRANULE); - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef; - buffer = encryptor.encrypt( - serializedBuff.contents().begin(), serializedBuff.contents().size(), &headerRef, arena); - Standalone serialized = BlobCipherEncryptHeaderRef::toStringRef(headerRef); - arena.dependsOn(serialized.arena()); - encryptHeaderRef = serialized; - } else { - BlobCipherEncryptHeader header; - buffer = - encryptor.encrypt(serializedBuff.contents().begin(), serializedBuff.contents().size(), &header, arena) - ->toStringRef(); - encryptHeaderRef = BlobCipherEncryptHeader::toStringRef(header, arena); - } + BlobCipherEncryptHeaderRef headerRef; + buffer = + encryptor.encrypt(serializedBuff.contents().begin(), serializedBuff.contents().size(), &headerRef, arena); + Standalone serialized = BlobCipherEncryptHeaderRef::toStringRef(headerRef); + arena.dependsOn(serialized.arena()); + encryptHeaderRef = serialized; if (BG_ENCRYPT_COMPRESS_DEBUG) { XXH64_hash_t chksum = XXH3_64bits(buffer.begin(), buffer.size()); @@ -342,24 +334,11 @@ struct IndexBlockRef { TraceEvent(SevDebug, "IndexBlockEncrypt_Before").detail("Chksum", chksum); } StringRef decrypted; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef = - BlobCipherEncryptHeaderRef::fromStringRef(idxRef.encryptHeaderRef.get()); - validateEncryptionHeaderDetails(eKeys, headerRef, cipherKeysCtx.ivRef); - DecryptBlobCipherAes256Ctr decryptor(eKeys.textCipherKey, - eKeys.headerCipherKey, - cipherKeysCtx.ivRef.begin(), - BlobCipherMetrics::BLOB_GRANULE); - decrypted = decryptor.decrypt(idxRef.buffer.begin(), idxRef.buffer.size(), headerRef, arena); - } else { - BlobCipherEncryptHeader header = BlobCipherEncryptHeader::fromStringRef(idxRef.encryptHeaderRef.get()); - validateEncryptionHeaderDetails(eKeys, header, cipherKeysCtx.ivRef); - DecryptBlobCipherAes256Ctr decryptor(eKeys.textCipherKey, - eKeys.headerCipherKey, - cipherKeysCtx.ivRef.begin(), - BlobCipherMetrics::BLOB_GRANULE); - decrypted = decryptor.decrypt(idxRef.buffer.begin(), idxRef.buffer.size(), header, arena)->toStringRef(); - } + BlobCipherEncryptHeaderRef headerRef = BlobCipherEncryptHeaderRef::fromStringRef(idxRef.encryptHeaderRef.get()); + validateEncryptionHeaderDetails(eKeys, headerRef, cipherKeysCtx.ivRef); + DecryptBlobCipherAes256Ctr decryptor( + eKeys.textCipherKey, eKeys.headerCipherKey, cipherKeysCtx.ivRef.begin(), BlobCipherMetrics::BLOB_GRANULE); + decrypted = decryptor.decrypt(idxRef.buffer.begin(), idxRef.buffer.size(), headerRef, arena); if (BG_ENCRYPT_COMPRESS_DEBUG) { XXH64_hash_t chksum = XXH3_64bits(decrypted.begin(), decrypted.size()); @@ -452,18 +431,11 @@ struct IndexBlobGranuleFileChunkRef { AES_256_IV_LENGTH, getEncryptAuthTokenMode(EncryptAuthTokenMode::ENCRYPT_HEADER_AUTH_TOKEN_MODE_SINGLE), BlobCipherMetrics::BLOB_GRANULE); - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef; - chunkRef.buffer = encryptor.encrypt(chunkRef.buffer.begin(), chunkRef.buffer.size(), &headerRef, arena); - Standalone serialized = BlobCipherEncryptHeaderRef::toStringRef(headerRef); - arena.dependsOn(serialized.arena()); - chunkRef.encryptHeaderRef = serialized; - } else { - BlobCipherEncryptHeader header; - chunkRef.buffer = - encryptor.encrypt(chunkRef.buffer.begin(), chunkRef.buffer.size(), &header, arena)->toStringRef(); - chunkRef.encryptHeaderRef = BlobCipherEncryptHeader::toStringRef(header, arena); - } + BlobCipherEncryptHeaderRef headerRef; + chunkRef.buffer = encryptor.encrypt(chunkRef.buffer.begin(), chunkRef.buffer.size(), &headerRef, arena); + Standalone serialized = BlobCipherEncryptHeaderRef::toStringRef(headerRef); + arena.dependsOn(serialized.arena()); + chunkRef.encryptHeaderRef = serialized; if (BG_ENCRYPT_COMPRESS_DEBUG) { XXH64_hash_t chksum = XXH3_64bits(chunkRef.buffer.begin(), chunkRef.buffer.size()); @@ -485,25 +457,12 @@ struct IndexBlobGranuleFileChunkRef { } StringRef decrypted; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef = - BlobCipherEncryptHeaderRef::fromStringRef(chunkRef.encryptHeaderRef.get()); - validateEncryptionHeaderDetails(eKeys, headerRef, cipherKeysCtx.ivRef); - DecryptBlobCipherAes256Ctr decryptor(eKeys.textCipherKey, - eKeys.headerCipherKey, - cipherKeysCtx.ivRef.begin(), - BlobCipherMetrics::BLOB_GRANULE); - decrypted = decryptor.decrypt(chunkRef.buffer.begin(), chunkRef.buffer.size(), headerRef, arena); - } else { - BlobCipherEncryptHeader header = BlobCipherEncryptHeader::fromStringRef(chunkRef.encryptHeaderRef.get()); - validateEncryptionHeaderDetails(eKeys, header, cipherKeysCtx.ivRef); - DecryptBlobCipherAes256Ctr decryptor(eKeys.textCipherKey, - eKeys.headerCipherKey, - cipherKeysCtx.ivRef.begin(), - BlobCipherMetrics::BLOB_GRANULE); - decrypted = - decryptor.decrypt(chunkRef.buffer.begin(), chunkRef.buffer.size(), header, arena)->toStringRef(); - } + BlobCipherEncryptHeaderRef headerRef = + BlobCipherEncryptHeaderRef::fromStringRef(chunkRef.encryptHeaderRef.get()); + validateEncryptionHeaderDetails(eKeys, headerRef, cipherKeysCtx.ivRef); + DecryptBlobCipherAes256Ctr decryptor( + eKeys.textCipherKey, eKeys.headerCipherKey, cipherKeysCtx.ivRef.begin(), BlobCipherMetrics::BLOB_GRANULE); + decrypted = decryptor.decrypt(chunkRef.buffer.begin(), chunkRef.buffer.size(), headerRef, arena); if (BG_ENCRYPT_COMPRESS_DEBUG) { XXH64_hash_t chksum = XXH3_64bits(decrypted.begin(), decrypted.size()); diff --git a/fdbclient/ClientKnobs.cpp b/fdbclient/ClientKnobs.cpp index 0c038a0e8c..926adfd59a 100644 --- a/fdbclient/ClientKnobs.cpp +++ b/fdbclient/ClientKnobs.cpp @@ -313,7 +313,6 @@ void ClientKnobs::initialize(Randomize randomize) { init( ENABLE_ENCRYPTION_CPU_TIME_LOGGING, false ); init( SIMULATION_EKP_TENANT_IDS_TO_DROP, "-1" ); - init( ENABLE_CONFIGURABLE_ENCRYPTION, true ); init( ENCRYPT_HEADER_FLAGS_VERSION, 1 ); init( ENCRYPT_HEADER_AES_CTR_NO_AUTH_VERSION, 1 ); init( ENCRYPT_HEADER_AES_CTR_AES_CMAC_AUTH_VERSION, 1 ); diff --git a/fdbclient/FileBackupAgent.actor.cpp b/fdbclient/FileBackupAgent.actor.cpp index f7118b0361..913e8c8dc5 100644 --- a/fdbclient/FileBackupAgent.actor.cpp +++ b/fdbclient/FileBackupAgent.actor.cpp @@ -65,7 +65,6 @@ #include #include #include -#include #include "flow/actorcompiler.h" // This must be the last #include. @@ -574,67 +573,39 @@ struct SnapshotFileBackupEncryptionKeys { // truncated to just the tenant prefix and the value will be empty (to avoid having sensitive data of one tenant be // encrypted with a key for a different tenant) struct EncryptedRangeFileWriter : public IRangeFileWriter { - struct Options { - constexpr static FileIdentifier file_identifier = 3152016; - - bool configurableEncryptionEnabled = false; - - Options() {} - - template - void serialize(Ar& ar) { - serializer(ar, configurableEncryptionEnabled); - } - }; - EncryptedRangeFileWriter(Database cx, Arena* arena, EncryptionAtRestMode encryptMode, Optional>> tenantCache, Reference file = Reference(), - int blockSize = 0, - Options options = Options()) + int blockSize = 0) : cx(cx), arena(arena), file(file), encryptMode(encryptMode), tenantCache(tenantCache), blockSize(blockSize), - blockEnd(0), fileVersion(BACKUP_AGENT_ENCRYPTED_SNAPSHOT_FILE_VERSION), options(options) { + blockEnd(0), fileVersion(BACKUP_AGENT_ENCRYPTED_SNAPSHOT_FILE_VERSION) { buffer = makeString(blockSize); wPtr = mutateString(buffer); } - ACTOR static Future decryptImpl( - Database cx, - std::variant headerVariant, - const uint8_t* dataP, - int64_t dataLen, - Arena* arena) { + ACTOR static Future decryptImpl(Database cx, + BlobCipherEncryptHeaderRef header, + const uint8_t* dataP, + int64_t dataLen, + Arena* arena) { Reference const> dbInfo = cx->clientInfo; - if (std::holds_alternative(headerVariant)) { // configurable encryption - state BlobCipherEncryptHeaderRef headerRef = std::get(headerVariant); - TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys::getEncryptCipherKeys( - dbInfo, headerRef, BlobCipherMetrics::RESTORE)); - EncryptHeaderCipherDetails cipherDetails = headerRef.getCipherDetails(); - cipherDetails.textCipherDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherTextKey); - if (cipherDetails.headerCipherDetails.present()) { - cipherDetails.headerCipherDetails.get().validateCipherDetailsWithCipherKey(cipherKeys.cipherHeaderKey); - } - DecryptBlobCipherAes256Ctr decryptor( - cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, headerRef.getIV(), BlobCipherMetrics::RESTORE); - return decryptor.decrypt(dataP, dataLen, headerRef, *arena); - } else { - state BlobCipherEncryptHeader header = std::get(headerVariant); - TextAndHeaderCipherKeys cipherKeys = wait( - GetEncryptCipherKeys::getEncryptCipherKeys(dbInfo, header, BlobCipherMetrics::RESTORE)); - header.cipherTextDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherTextKey); - if (header.cipherHeaderDetails.isValid()) { - header.cipherHeaderDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherHeaderKey); - } - DecryptBlobCipherAes256Ctr decryptor( - cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, header.iv, BlobCipherMetrics::RESTORE); - return decryptor.decrypt(dataP, dataLen, header, *arena)->toStringRef(); + state BlobCipherEncryptHeaderRef headerRef = header; + TextAndHeaderCipherKeys cipherKeys = wait( + GetEncryptCipherKeys::getEncryptCipherKeys(dbInfo, headerRef, BlobCipherMetrics::RESTORE)); + EncryptHeaderCipherDetails cipherDetails = headerRef.getCipherDetails(); + cipherDetails.textCipherDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherTextKey); + if (cipherDetails.headerCipherDetails.present()) { + cipherDetails.headerCipherDetails.get().validateCipherDetailsWithCipherKey(cipherKeys.cipherHeaderKey); } + DecryptBlobCipherAes256Ctr decryptor( + cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, headerRef.getIV(), BlobCipherMetrics::RESTORE); + return decryptor.decrypt(dataP, dataLen, headerRef, *arena); } static Future decrypt(Database cx, - std::variant header, + BlobCipherEncryptHeaderRef header, const uint8_t* dataP, int64_t dataLen, Arena* arena) { @@ -674,21 +645,12 @@ struct EncryptedRangeFileWriter : public IRangeFileWriter { BlobCipherMetrics::BACKUP); int64_t payloadSize = self->wPtr - self->dataPayloadStart; StringRef encryptedData; - if (self->options.configurableEncryptionEnabled) { - BlobCipherEncryptHeaderRef headerRef; - encryptedData = encryptor.encrypt(self->dataPayloadStart, payloadSize, &headerRef, *self->arena); - Standalone serialized = BlobCipherEncryptHeaderRef::toStringRef(headerRef); - self->arena->dependsOn(serialized.arena()); - ASSERT(serialized.size() == self->encryptHeader.size()); - std::memcpy(mutateString(self->encryptHeader), serialized.begin(), self->encryptHeader.size()); - } else { - BlobCipherEncryptHeader header; - encryptedData = - encryptor.encrypt(self->dataPayloadStart, payloadSize, &header, *self->arena)->toStringRef(); - StringRef encryptHeaderStringRef = BlobCipherEncryptHeader::toStringRef(header, *self->arena); - ASSERT(encryptHeaderStringRef.size() == self->encryptHeader.size()); - std::memcpy(mutateString(self->encryptHeader), encryptHeaderStringRef.begin(), self->encryptHeader.size()); - } + BlobCipherEncryptHeaderRef headerRef; + encryptedData = encryptor.encrypt(self->dataPayloadStart, payloadSize, &headerRef, *self->arena); + Standalone serialized = BlobCipherEncryptHeaderRef::toStringRef(headerRef); + self->arena->dependsOn(serialized.arena()); + ASSERT(serialized.size() == self->encryptHeader.size()); + std::memcpy(mutateString(self->encryptHeader), serialized.begin(), self->encryptHeader.size()); // re-write encrypted data to buffer std::memcpy(self->dataPayloadStart, encryptedData.begin(), payloadSize); @@ -801,27 +763,17 @@ struct EncryptedRangeFileWriter : public IRangeFileWriter { // write Header copyToBuffer(self, (uint8_t*)&self->fileVersion, sizeof(self->fileVersion)); - // write options struct - self->options.configurableEncryptionEnabled = CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION; - Value serialized = - ObjectWriter::toValue(self->options, IncludeVersion(ProtocolVersion::withEncryptedSnapshotBackupFile())); - appendStringRefWithLenToBuffer(self, &serialized); - // calculate encryption header size uint32_t headerSize = 0; - if (self->options.configurableEncryptionEnabled) { - EncryptAuthTokenMode authTokenMode = - getEncryptAuthTokenMode(EncryptAuthTokenMode::ENCRYPT_HEADER_AUTH_TOKEN_MODE_SINGLE); - EncryptAuthTokenAlgo authTokenAlgo = getAuthTokenAlgoFromMode(authTokenMode); - headerSize = BlobCipherEncryptHeaderRef::getHeaderSize( - CLIENT_KNOBS->ENCRYPT_HEADER_FLAGS_VERSION, - getEncryptCurrentAlgoHeaderVersion(authTokenMode, authTokenAlgo), - ENCRYPT_CIPHER_MODE_AES_256_CTR, - authTokenMode, - authTokenAlgo); - } else { - headerSize = BlobCipherEncryptHeader::headerSize; - } + EncryptAuthTokenMode authTokenMode = + getEncryptAuthTokenMode(EncryptAuthTokenMode::ENCRYPT_HEADER_AUTH_TOKEN_MODE_SINGLE); + EncryptAuthTokenAlgo authTokenAlgo = getAuthTokenAlgoFromMode(authTokenMode); + headerSize = + BlobCipherEncryptHeaderRef::getHeaderSize(CLIENT_KNOBS->ENCRYPT_HEADER_FLAGS_VERSION, + getEncryptCurrentAlgoHeaderVersion(authTokenMode, authTokenAlgo), + ENCRYPT_CIPHER_MODE_AES_256_CTR, + authTokenMode, + authTokenAlgo); ASSERT(headerSize > 0); // write header size to buffer copyToBuffer(self, (uint8_t*)&headerSize, sizeof(headerSize)); @@ -977,7 +929,6 @@ private: uint8_t* dataPayloadStart; int64_t blockEnd; uint32_t fileVersion; - Options options; Key lastKey; Key lastValue; SnapshotFileBackupEncryptionKeys cipherKeys; @@ -1258,27 +1209,15 @@ ACTOR Future>> decodeRangeFileBlock(Reference< wait(decodeKVPairs(&reader, &results, false, encryptMode, Optional(), tenantCache)); } else if (file_version == BACKUP_AGENT_ENCRYPTED_SNAPSHOT_FILE_VERSION) { CODE_PROBE(true, "decoding encrypted block"); - // decode options struct - state uint32_t optionsLen = reader.consumeNetworkUInt32(); - const uint8_t* o = reader.consume(optionsLen); - StringRef optionsStringRef = StringRef(o, optionsLen); - EncryptedRangeFileWriter::Options options = - ObjectReader::fromStringRef(optionsStringRef, IncludeVersion()); // read header size state uint32_t headerLen = reader.consume(); // read the encryption header state const uint8_t* headerStart = reader.consume(headerLen); StringRef headerS = StringRef(headerStart, headerLen); - state std::variant encryptHeader; - if (options.configurableEncryptionEnabled) { - encryptHeader = BlobCipherEncryptHeaderRef::fromStringRef(headerS); - blockDomainId = std::get(encryptHeader) - .getCipherDetails() - .textCipherDetails.encryptDomainId; - } else { - encryptHeader = BlobCipherEncryptHeader::fromStringRef(headerS); - blockDomainId = std::get(encryptHeader).cipherTextDetails.encryptDomainId; - } + state BlobCipherEncryptHeaderRef encryptHeader; + + encryptHeader = BlobCipherEncryptHeaderRef::fromStringRef(headerS); + blockDomainId = encryptHeader.getCipherDetails().textCipherDetails.encryptDomainId; if (config.tenantMode == TenantMode::REQUIRED && !isReservedEncryptDomain(blockDomainId)) { ASSERT(tenantCache.present()); @@ -1289,7 +1228,7 @@ ACTOR Future>> decodeRangeFileBlock(Reference< } const uint8_t* dataPayloadStart = headerStart + headerLen; // calculate the total bytes read up to (and including) the header - int64_t bytesRead = sizeof(int32_t) + sizeof(uint32_t) + sizeof(uint32_t) + optionsLen + headerLen; + int64_t bytesRead = sizeof(int32_t) + sizeof(uint32_t) + headerLen; // get the size of the encrypted payload and decrypt it int64_t dataLen = len - bytesRead; StringRef decryptedData = diff --git a/fdbclient/include/fdbclient/ClientKnobs.h b/fdbclient/include/fdbclient/ClientKnobs.h index 31ab812b8f..ef715f5889 100644 --- a/fdbclient/include/fdbclient/ClientKnobs.h +++ b/fdbclient/include/fdbclient/ClientKnobs.h @@ -312,7 +312,6 @@ public: // key_not_found errors for. If TenantInfo::INVALID_TENANT is contained within the list then no tenants will be // dropped. This Knob should ONLY be used in simulation for testing purposes std::string SIMULATION_EKP_TENANT_IDS_TO_DROP; - bool ENABLE_CONFIGURABLE_ENCRYPTION; int ENCRYPT_HEADER_FLAGS_VERSION; int ENCRYPT_HEADER_AES_CTR_NO_AUTH_VERSION; int ENCRYPT_HEADER_AES_CTR_AES_CMAC_AUTH_VERSION; diff --git a/fdbclient/include/fdbclient/CommitTransaction.h b/fdbclient/include/fdbclient/CommitTransaction.h index 256e7e7d9b..bf55f7b266 100644 --- a/fdbclient/include/fdbclient/CommitTransaction.h +++ b/fdbclient/include/fdbclient/CommitTransaction.h @@ -152,28 +152,19 @@ struct MutationRef { EncryptCipherDomainId encryptDomainId() const { ASSERT(isEncrypted()); - return CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION ? configurableEncryptionHeader().getDomainId() - : encryptionHeader()->cipherTextDetails.encryptDomainId; + return configurableEncryptionHeader().getDomainId(); } void updateEncryptCipherDetails(std::unordered_set& cipherDetails) { ASSERT(isEncrypted()); - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef header = configurableEncryptionHeader(); - EncryptHeaderCipherDetails details = header.getCipherDetails(); - ASSERT(details.textCipherDetails.isValid()); - cipherDetails.insert(details.textCipherDetails); - if (details.headerCipherDetails.present()) { - ASSERT(details.headerCipherDetails.get().isValid()); - cipherDetails.insert(details.headerCipherDetails.get()); - } - } else { - const BlobCipherEncryptHeader* header = encryptionHeader(); - cipherDetails.insert(header->cipherTextDetails); - if (header->cipherHeaderDetails.isValid()) { - cipherDetails.insert(header->cipherHeaderDetails); - } + BlobCipherEncryptHeaderRef header = configurableEncryptionHeader(); + EncryptHeaderCipherDetails details = header.getCipherDetails(); + ASSERT(details.textCipherDetails.isValid()); + cipherDetails.insert(details.textCipherDetails); + if (details.headerCipherDetails.present()) { + ASSERT(details.headerCipherDetails.get().isValid()); + cipherDetails.insert(details.headerCipherDetails.get()); } } @@ -195,18 +186,11 @@ struct MutationRef { StringRef serializedHeader; StringRef payload; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef header; - payload = cipher.encrypt(static_cast(bw.getData()), bw.getLength(), &header, arena); - Standalone headerStr = BlobCipherEncryptHeaderRef::toStringRef(header); - arena.dependsOn(headerStr.arena()); - serializedHeader = headerStr; - } else { - BlobCipherEncryptHeader* header = new (arena) BlobCipherEncryptHeader; - serializedHeader = StringRef(reinterpret_cast(header), sizeof(BlobCipherEncryptHeader)); - payload = - cipher.encrypt(static_cast(bw.getData()), bw.getLength(), header, arena)->toStringRef(); - } + BlobCipherEncryptHeaderRef header; + payload = cipher.encrypt(static_cast(bw.getData()), bw.getLength(), &header, arena); + Standalone headerStr = BlobCipherEncryptHeaderRef::toStringRef(header); + arena.dependsOn(headerStr.arena()); + serializedHeader = headerStr; return MutationRef(Encrypted, serializedHeader, payload); } @@ -238,21 +222,11 @@ struct MutationRef { getEncryptAuthTokenMode(EncryptAuthTokenMode::ENCRYPT_HEADER_AUTH_TOKEN_MODE_SINGLE), usageType); - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef header; - StringRef payload = - cipher.encrypt(static_cast(bw.getData()), bw.getLength(), &header, arena); - Standalone serializedHeader = BlobCipherEncryptHeaderRef::toStringRef(header); - arena.dependsOn(serializedHeader.arena()); - return MutationRef(Encrypted, serializedHeader, payload); - } else { - BlobCipherEncryptHeader* header = new (arena) BlobCipherEncryptHeader; - StringRef serializedHeader = - StringRef(reinterpret_cast(header), sizeof(BlobCipherEncryptHeader)); - StringRef payload = - cipher.encrypt(static_cast(bw.getData()), bw.getLength(), header, arena)->toStringRef(); - return MutationRef(Encrypted, serializedHeader, payload); - } + BlobCipherEncryptHeaderRef header; + StringRef payload = cipher.encrypt(static_cast(bw.getData()), bw.getLength(), &header, arena); + Standalone serializedHeader = BlobCipherEncryptHeaderRef::toStringRef(header); + arena.dependsOn(serializedHeader.arena()); + return MutationRef(Encrypted, serializedHeader, payload); } MutationRef encryptMetadata(const std::unordered_map>& cipherKeys, @@ -266,17 +240,11 @@ struct MutationRef { BlobCipherMetrics::UsageType usageType, StringRef* buf = nullptr) const { StringRef plaintext; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - const BlobCipherEncryptHeaderRef header = configurableEncryptionHeader(); - DecryptBlobCipherAes256Ctr cipher( - cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, header.getIV(), usageType); - plaintext = cipher.decrypt(param2.begin(), param2.size(), header, arena); - } else { - const BlobCipherEncryptHeader* header = encryptionHeader(); - DecryptBlobCipherAes256Ctr cipher( - cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, header->iv, usageType); - plaintext = cipher.decrypt(param2.begin(), param2.size(), *header, arena)->toStringRef(); - } + const BlobCipherEncryptHeaderRef header = configurableEncryptionHeader(); + DecryptBlobCipherAes256Ctr cipher( + cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, header.getIV(), usageType); + plaintext = cipher.decrypt(param2.begin(), param2.size(), header, arena); + if (buf != nullptr) { *buf = plaintext; } @@ -305,21 +273,15 @@ struct MutationRef { return iter->second; }; TextAndHeaderCipherKeys textAndHeaderKeys; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - const BlobCipherEncryptHeaderRef header = configurableEncryptionHeader(); - EncryptHeaderCipherDetails cipherDetails = header.getCipherDetails(); - ASSERT(cipherDetails.textCipherDetails.isValid()); - textAndHeaderKeys.cipherTextKey = getCipherKey(cipherDetails.textCipherDetails); - if (cipherDetails.headerCipherDetails.present()) { - ASSERT(cipherDetails.headerCipherDetails.get().isValid()); - textAndHeaderKeys.cipherHeaderKey = getCipherKey(cipherDetails.headerCipherDetails.get()); - } else { - ASSERT(!FLOW_KNOBS->ENCRYPT_HEADER_AUTH_TOKEN_ENABLED); - } + const BlobCipherEncryptHeaderRef header = configurableEncryptionHeader(); + EncryptHeaderCipherDetails cipherDetails = header.getCipherDetails(); + ASSERT(cipherDetails.textCipherDetails.isValid()); + textAndHeaderKeys.cipherTextKey = getCipherKey(cipherDetails.textCipherDetails); + if (cipherDetails.headerCipherDetails.present()) { + ASSERT(cipherDetails.headerCipherDetails.get().isValid()); + textAndHeaderKeys.cipherHeaderKey = getCipherKey(cipherDetails.headerCipherDetails.get()); } else { - const BlobCipherEncryptHeader* header = encryptionHeader(); - textAndHeaderKeys.cipherHeaderKey = getCipherKey(header->cipherHeaderDetails); - textAndHeaderKeys.cipherTextKey = getCipherKey(header->cipherTextDetails); + ASSERT(!FLOW_KNOBS->ENCRYPT_HEADER_AUTH_TOKEN_ENABLED); } return textAndHeaderKeys; } diff --git a/fdbclient/include/fdbclient/GetEncryptCipherKeys_impl.actor.h b/fdbclient/include/fdbclient/GetEncryptCipherKeys_impl.actor.h index f8c472c2e0..522789a72e 100644 --- a/fdbclient/include/fdbclient/GetEncryptCipherKeys_impl.actor.h +++ b/fdbclient/include/fdbclient/GetEncryptCipherKeys_impl.actor.h @@ -365,8 +365,6 @@ ACTOR template Future _getEncryptCipherKeys(Reference const> db, BlobCipherEncryptHeaderRef header, BlobCipherMetrics::UsageType usageType) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); - state bool authenticatedEncryption = header.getAuthTokenMode() != ENCRYPT_HEADER_AUTH_TOKEN_MODE_NONE; state EncryptHeaderCipherDetails details = header.getCipherDetails(); diff --git a/fdbserver/CommitProxyServer.actor.cpp b/fdbserver/CommitProxyServer.actor.cpp index eb88745368..1cf267fe20 100644 --- a/fdbserver/CommitProxyServer.actor.cpp +++ b/fdbserver/CommitProxyServer.actor.cpp @@ -1720,17 +1720,10 @@ ACTOR Future writeMutationEncryptedMutation(CommitBatchCont ASSERT(encryptedMutation.isEncrypted()); Reference const> dbInfo = self->pProxyCommitData->db; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - headerRef = encryptedMutation.configurableEncryptionHeader(); - TextAndHeaderCipherKeys cipherKeys = - wait(GetEncryptCipherKeys::getEncryptCipherKeys(dbInfo, headerRef, BlobCipherMetrics::TLOG)); - decryptedMutation = encryptedMutation.decrypt(cipherKeys, *arena, BlobCipherMetrics::TLOG); - } else { - header = encryptedMutation.encryptionHeader(); - TextAndHeaderCipherKeys cipherKeys = - wait(GetEncryptCipherKeys::getEncryptCipherKeys(dbInfo, *header, BlobCipherMetrics::TLOG)); - decryptedMutation = encryptedMutation.decrypt(cipherKeys, *arena, BlobCipherMetrics::TLOG); - } + headerRef = encryptedMutation.configurableEncryptionHeader(); + TextAndHeaderCipherKeys cipherKeys = + wait(GetEncryptCipherKeys::getEncryptCipherKeys(dbInfo, headerRef, BlobCipherMetrics::TLOG)); + decryptedMutation = encryptedMutation.decrypt(cipherKeys, *arena, BlobCipherMetrics::TLOG); ASSERT(decryptedMutation.type == mutation->type); ASSERT(decryptedMutation.param1 == mutation->param1); diff --git a/fdbserver/KeyValueStoreMemory.actor.cpp b/fdbserver/KeyValueStoreMemory.actor.cpp index 6f9a798549..5fea5c1d4a 100644 --- a/fdbserver/KeyValueStoreMemory.actor.cpp +++ b/fdbserver/KeyValueStoreMemory.actor.cpp @@ -523,25 +523,14 @@ private: uint16_t encryptHeaderSize; // TODO: If possible we want to avoid memcpy to the disk log by using the same arena used by IDiskQueue Arena arena; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef; - StringRef cipherText = cipher.encrypt(plaintext, v1.size() + v2.size(), &headerRef, arena); - Standalone headerRefStr = BlobCipherEncryptHeaderRef::toStringRef(headerRef); - encryptHeaderSize = headerRefStr.size(); - ASSERT(encryptHeaderSize > 0); - log->push(StringRef((const uint8_t*)&encryptHeaderSize, sizeof(encryptHeaderSize))); - log->push(headerRefStr); - log->push(cipherText); - } else { - BlobCipherEncryptHeader cipherHeader; - StringRef ciphertext = - cipher.encrypt(plaintext, v1.size() + v2.size(), &cipherHeader, arena)->toStringRef(); - encryptHeaderSize = BlobCipherEncryptHeader::headerSize; - ASSERT(encryptHeaderSize > 0); - log->push(StringRef((const uint8_t*)&encryptHeaderSize, sizeof(encryptHeaderSize))); - log->push(StringRef((const uint8_t*)&cipherHeader, encryptHeaderSize)); - log->push(ciphertext); - } + BlobCipherEncryptHeaderRef headerRef; + StringRef cipherText = cipher.encrypt(plaintext, v1.size() + v2.size(), &headerRef, arena); + Standalone headerRefStr = BlobCipherEncryptHeaderRef::toStringRef(headerRef); + encryptHeaderSize = headerRefStr.size(); + ASSERT(encryptHeaderSize > 0); + log->push(StringRef((const uint8_t*)&encryptHeaderSize, sizeof(encryptHeaderSize))); + log->push(headerRefStr); + log->push(cipherText); } return log->push("\x01"_sr); // Changes here should be reflected in OP_DISK_OVERHEAD } @@ -593,25 +582,15 @@ private: } state Arena arena; state StringRef plaintext; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - state BlobCipherEncryptHeaderRef cipherHeaderRef = - BlobCipherEncryptHeaderRef::fromStringRef(StringRef(data.begin(), encryptHeaderSize)); - TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys::getEncryptCipherKeys( - self->db, cipherHeaderRef, BlobCipherMetrics::KV_MEMORY)); - DecryptBlobCipherAes256Ctr cipher(cipherKeys.cipherTextKey, - cipherKeys.cipherHeaderKey, - cipherHeaderRef.getIV(), - BlobCipherMetrics::KV_MEMORY); - plaintext = cipher.decrypt(data.begin() + encryptHeaderSize, h.len1 + h.len2, cipherHeaderRef, arena); - } else { - state BlobCipherEncryptHeader cipherHeader = *(BlobCipherEncryptHeader*)data.begin(); - TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys::getEncryptCipherKeys( - self->db, cipherHeader, BlobCipherMetrics::KV_MEMORY)); - DecryptBlobCipherAes256Ctr cipher( - cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, cipherHeader.iv, BlobCipherMetrics::KV_MEMORY); - plaintext = - cipher.decrypt(data.begin() + encryptHeaderSize, h.len1 + h.len2, cipherHeader, arena)->toStringRef(); - } + state BlobCipherEncryptHeaderRef cipherHeaderRef = + BlobCipherEncryptHeaderRef::fromStringRef(StringRef(data.begin(), encryptHeaderSize)); + TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys::getEncryptCipherKeys( + self->db, cipherHeaderRef, BlobCipherMetrics::KV_MEMORY)); + DecryptBlobCipherAes256Ctr cipher(cipherKeys.cipherTextKey, + cipherKeys.cipherHeaderKey, + cipherHeaderRef.getIV(), + BlobCipherMetrics::KV_MEMORY); + plaintext = cipher.decrypt(data.begin() + encryptHeaderSize, h.len1 + h.len2, cipherHeaderRef, arena); return Standalone(plaintext, arena); } diff --git a/fdbserver/fdbserver.actor.cpp b/fdbserver/fdbserver.actor.cpp index 2a49c47122..7096804b14 100644 --- a/fdbserver/fdbserver.actor.cpp +++ b/fdbserver/fdbserver.actor.cpp @@ -2331,10 +2331,6 @@ int main(int argc, char* argv[]) { g_knobs.setKnob("encrypt_header_auth_token_algo", KnobValue::create((int)ini.GetLongValue( "META", "encryptHeaderAuthTokenAlgo", FLOW_KNOBS->ENCRYPT_HEADER_AUTH_TOKEN_ALGO))); - g_knobs.setKnob("enable_configurable_encryption", - KnobValue::create(ini.GetBoolValue("META", - "enableConfigurableEncryption", - CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION))); g_knobs.setKnob( "shard_encode_location_metadata", diff --git a/fdbserver/include/fdbserver/IPageEncryptionKeyProvider.actor.h b/fdbserver/include/fdbserver/IPageEncryptionKeyProvider.actor.h index 4a54474693..ee0607bd3f 100644 --- a/fdbserver/include/fdbserver/IPageEncryptionKeyProvider.actor.h +++ b/fdbserver/include/fdbserver/IPageEncryptionKeyProvider.actor.h @@ -163,15 +163,9 @@ namespace { template int64_t getEncryptionDomainIdFromAesEncryptionHeader(const void* encodingHeader) { using Encoder = typename ArenaPage::AESEncryptionEncoder; - using EncodingHeader = typename Encoder::Header; ASSERT(encodingHeader != nullptr); - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader); - return headerRef.getCipherDetails().textCipherDetails.encryptDomainId; - } else { - const BlobCipherEncryptHeader& header = reinterpret_cast(encodingHeader)->encryption; - return header.cipherTextDetails.encryptDomainId; - } + BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader); + return headerRef.getCipherDetails().textCipherDetails.encryptDomainId; } } // anonymous namespace @@ -208,25 +202,15 @@ public: Future getEncryptionKey(const void* encodingHeader) override { using Encoder = typename ArenaPage::AESEncryptionEncoder; EncryptionKey s; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - const BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader); - EncryptHeaderCipherDetails details = headerRef.getCipherDetails(); - ASSERT(details.textCipherDetails.isValid()); - s.aesKey.cipherTextKey = - getCipherKey(details.textCipherDetails.encryptDomainId, details.textCipherDetails.baseCipherId); - if (details.headerCipherDetails.present()) { - ASSERT(details.headerCipherDetails.get().isValid()); - s.aesKey.cipherHeaderKey = getCipherKey(details.headerCipherDetails.get().encryptDomainId, - details.headerCipherDetails.get().baseCipherId); - } - } else { - const typename Encoder::Header* h = reinterpret_cast(encodingHeader); - s.aesKey.cipherTextKey = getCipherKey(h->encryption.cipherTextDetails.encryptDomainId, - h->encryption.cipherTextDetails.baseCipherId); - if (h->encryption.cipherHeaderDetails.isValid()) { - s.aesKey.cipherHeaderKey = getCipherKey(h->encryption.cipherHeaderDetails.encryptDomainId, - h->encryption.cipherHeaderDetails.baseCipherId); - } + const BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader); + EncryptHeaderCipherDetails details = headerRef.getCipherDetails(); + ASSERT(details.textCipherDetails.isValid()); + s.aesKey.cipherTextKey = + getCipherKey(details.textCipherDetails.encryptDomainId, details.textCipherDetails.baseCipherId); + if (details.headerCipherDetails.present()) { + ASSERT(details.headerCipherDetails.get().isValid()); + s.aesKey.cipherHeaderKey = getCipherKey(details.headerCipherDetails.get().encryptDomainId, + details.headerCipherDetails.get().baseCipherId); } return s; } @@ -338,17 +322,10 @@ public: ACTOR static Future getEncryptionKey(AESEncryptionKeyProvider* self, const void* encodingHeader) { state TextAndHeaderCipherKeys cipherKeys; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader); - TextAndHeaderCipherKeys cks = wait(GetEncryptCipherKeys::getEncryptCipherKeys( - self->db, headerRef, BlobCipherMetrics::KV_REDWOOD)); - cipherKeys = cks; - } else { - const BlobCipherEncryptHeader& header = reinterpret_cast(encodingHeader)->encryption; - TextAndHeaderCipherKeys cks = wait(GetEncryptCipherKeys::getEncryptCipherKeys( - self->db, header, BlobCipherMetrics::KV_REDWOOD)); - cipherKeys = cks; - } + BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader); + TextAndHeaderCipherKeys cks = wait(GetEncryptCipherKeys::getEncryptCipherKeys( + self->db, headerRef, BlobCipherMetrics::KV_REDWOOD)); + cipherKeys = cks; EncryptionKey encryptionKey; encryptionKey.aesKey = cipherKeys; return encryptionKey; diff --git a/fdbserver/include/fdbserver/IPager.h b/fdbserver/include/fdbserver/IPager.h index 013c4f7da1..2ca8e5773d 100644 --- a/fdbserver/include/fdbserver/IPager.h +++ b/fdbserver/include/fdbserver/IPager.h @@ -434,32 +434,22 @@ public: BlobCipherMetrics::KV_REDWOOD); Arena arena; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef; - if (FLOW_KNOBS->ENCRYPT_INPLACE_ENABLED) { - cipher.encryptInplace(payload, len, &headerRef); - } else { - StringRef ciphertext = cipher.encrypt(payload, len, &headerRef, arena); - ASSERT_EQ(len, ciphertext.size()); - memcpy(payload, ciphertext.begin(), len); - } - - Standalone serializedHeader = BlobCipherEncryptHeaderRef::toStringRef(headerRef); - ASSERT(serializedHeader.size() <= BlobCipherEncryptHeader::headerSize); - memcpy(h->encryptionHeaderBuf, serializedHeader.begin(), serializedHeader.size()); - if (serializedHeader.size() < BlobCipherEncryptHeader::headerSize) { - memset(h->encryptionHeaderBuf + serializedHeader.size(), - 0, - BlobCipherEncryptHeader::headerSize - serializedHeader.size()); - } + BlobCipherEncryptHeaderRef headerRef; + if (FLOW_KNOBS->ENCRYPT_INPLACE_ENABLED) { + cipher.encryptInplace(payload, len, &headerRef); } else { - if (FLOW_KNOBS->ENCRYPT_INPLACE_ENABLED) { - cipher.encryptInplace(payload, len, &h->encryption); - } else { - StringRef ciphertext = cipher.encrypt(payload, len, &h->encryption, arena)->toStringRef(); - ASSERT_EQ(len, ciphertext.size()); - memcpy(payload, ciphertext.begin(), len); - } + StringRef ciphertext = cipher.encrypt(payload, len, &headerRef, arena); + ASSERT_EQ(len, ciphertext.size()); + memcpy(payload, ciphertext.begin(), len); + } + + Standalone serializedHeader = BlobCipherEncryptHeaderRef::toStringRef(headerRef); + ASSERT(serializedHeader.size() <= BlobCipherEncryptHeader::headerSize); + memcpy(h->encryptionHeaderBuf, serializedHeader.begin(), serializedHeader.size()); + if (serializedHeader.size() < BlobCipherEncryptHeader::headerSize) { + memset(h->encryptionHeaderBuf + serializedHeader.size(), + 0, + BlobCipherEncryptHeader::headerSize - serializedHeader.size()); } if constexpr (encodingType == AESEncryption) { @@ -468,7 +458,6 @@ public: } static BlobCipherEncryptHeaderRef getEncryptionHeaderRef(const void* header) { - ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); const Header* h = reinterpret_cast(header); return BlobCipherEncryptHeaderRef::fromStringRef( StringRef(h->encryptionHeaderBuf, headerSize - (h->encryptionHeaderBuf - (const uint8_t*)h))); @@ -486,32 +475,15 @@ public: } } Arena arena; - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { - BlobCipherEncryptHeaderRef headerRef = getEncryptionHeaderRef(header); - DecryptBlobCipherAes256Ctr cipher(cipherKeys.cipherTextKey, - cipherKeys.cipherHeaderKey, - headerRef.getIV(), - BlobCipherMetrics::KV_REDWOOD); - if (FLOW_KNOBS->ENCRYPT_INPLACE_ENABLED) { - cipher.decryptInplace(payload, len, headerRef); - } else { - StringRef plaintext = cipher.decrypt(payload, len, headerRef, arena); - ASSERT_EQ(len, plaintext.size()); - memcpy(payload, plaintext.begin(), len); - } - + BlobCipherEncryptHeaderRef headerRef = getEncryptionHeaderRef(header); + DecryptBlobCipherAes256Ctr cipher( + cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, headerRef.getIV(), BlobCipherMetrics::KV_REDWOOD); + if (FLOW_KNOBS->ENCRYPT_INPLACE_ENABLED) { + cipher.decryptInplace(payload, len, headerRef); } else { - DecryptBlobCipherAes256Ctr cipher(cipherKeys.cipherTextKey, - cipherKeys.cipherHeaderKey, - h->encryption.iv, - BlobCipherMetrics::KV_REDWOOD); - if (FLOW_KNOBS->ENCRYPT_INPLACE_ENABLED) { - cipher.decryptInplace(payload, len, h->encryption); - } else { - StringRef plaintext = cipher.decrypt(payload, len, h->encryption, arena)->toStringRef(); - ASSERT_EQ(len, plaintext.size()); - memcpy(payload, plaintext.begin(), len); - } + StringRef plaintext = cipher.decrypt(payload, len, headerRef, arena); + ASSERT_EQ(len, plaintext.size()); + memcpy(payload, plaintext.begin(), len); } } }; diff --git a/fdbserver/workloads/EncryptionOps.actor.cpp b/fdbserver/workloads/EncryptionOps.actor.cpp index 1a56e2fa96..8f9cfccfbc 100644 --- a/fdbserver/workloads/EncryptionOps.actor.cpp +++ b/fdbserver/workloads/EncryptionOps.actor.cpp @@ -512,7 +512,7 @@ struct EncryptionOpsWorkload : TestWorkload { // decrypt doDecryption(encrypted, dataLen, header, buff.get(), cipherKey, tmpArena); - if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) { + { BlobCipherEncryptHeaderRef headerRef; StringRef encrypted = doEncryption( cipherKey, headerCipherKey, buff.get(), dataLen, authMode, authAlgo, &headerRef, tmpArena); diff --git a/fdbserver/workloads/SaveAndKill.actor.cpp b/fdbserver/workloads/SaveAndKill.actor.cpp index 681fe413cf..66ec1d66d0 100644 --- a/fdbserver/workloads/SaveAndKill.actor.cpp +++ b/fdbserver/workloads/SaveAndKill.actor.cpp @@ -80,7 +80,6 @@ struct SaveAndKillWorkload : TestWorkload { ini.SetValue("META", "defaultTenant", cx->defaultTenant.get().toString().c_str()); } ini.SetBoolValue("META", "enableShardEncodeLocationMetadata", SERVER_KNOBS->SHARD_ENCODE_LOCATION_METADATA); - ini.SetBoolValue("META", "enableConfigurableEncryption", CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION); ini.SetBoolValue("META", "encryptHeaderAuthTokenEnabled", FLOW_KNOBS->ENCRYPT_HEADER_AUTH_TOKEN_ENABLED); ini.SetLongValue("META", "encryptHeaderAuthTokenAlgo", FLOW_KNOBS->ENCRYPT_HEADER_AUTH_TOKEN_ALGO); diff --git a/tests/TestRunner/local_cluster.py b/tests/TestRunner/local_cluster.py index 14ed7d6656..5a888115bd 100644 --- a/tests/TestRunner/local_cluster.py +++ b/tests/TestRunner/local_cluster.py @@ -277,7 +277,6 @@ knob_min_trace_severity=5 encrypt_config = "\n".join( [ "knob_kms_connector_type=FDBPerfKmsConnector", - "knob_enable_configurable_encryption=true", ] ) f.write( diff --git a/tests/fast/BlobRestoreTenantMode.toml b/tests/fast/BlobRestoreTenantMode.toml index 289a4c379d..445ac98aaf 100644 --- a/tests/fast/BlobRestoreTenantMode.toml +++ b/tests/fast/BlobRestoreTenantMode.toml @@ -11,7 +11,6 @@ storageEngineExcludeTypes = [4, 5] [[knobs]] bg_metadata_source = "tenant" bg_key_tuple_truncate_offset = 1 -enable_configurable_encryption = true enable_rest_kms_communication = true bg_consistency_check_enabled = 0 shard_encode_location_metadata = false diff --git a/tests/fast/EncryptionOps.toml b/tests/fast/EncryptionOps.toml index 439244cb08..2904d161df 100644 --- a/tests/fast/EncryptionOps.toml +++ b/tests/fast/EncryptionOps.toml @@ -3,9 +3,6 @@ buggify = false testClass = "Encryption" encryptModes = ['disabled'] -[[knobs]] -enable_configurable_encryption = true - [[test]] testTitle = 'EncryptDecrypt' diff --git a/tests/fast/EncryptionUnitTests.toml b/tests/fast/EncryptionUnitTests.toml index ae9b4df085..66adf38c02 100644 --- a/tests/fast/EncryptionUnitTests.toml +++ b/tests/fast/EncryptionUnitTests.toml @@ -1,6 +1,3 @@ -[[knobs]] -enable_configurable_encryption = true - [[test]] testTitle = 'BlobCipherUnitTest' useDB = false diff --git a/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-1.toml b/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-1.toml index a9a6e55ec8..3bdbdefcc6 100644 --- a/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-1.toml +++ b/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-1.toml @@ -9,7 +9,6 @@ injectSSDelay = true [[knobs]] bg_metadata_source = "tenant" bg_key_tuple_truncate_offset = 1 -enable_configurable_encryption = true enable_rest_kms_communication = true deterministic_blob_metadata = true diff --git a/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-2.toml b/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-2.toml index 5997957114..cf7e96ac78 100644 --- a/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-2.toml +++ b/tests/restarting/from_7.3.0/BlobGranuleRestartCorrectness-2.toml @@ -9,7 +9,6 @@ injectSSDelay = true [[knobs]] bg_metadata_source = "tenant" bg_key_tuple_truncate_offset = 1 -enable_configurable_encryption = true enable_rest_kms_communication = true deterministic_blob_metadata = true diff --git a/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-1.toml b/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-1.toml index a9a6e55ec8..3bdbdefcc6 100644 --- a/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-1.toml +++ b/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-1.toml @@ -9,7 +9,6 @@ injectSSDelay = true [[knobs]] bg_metadata_source = "tenant" bg_key_tuple_truncate_offset = 1 -enable_configurable_encryption = true enable_rest_kms_communication = true deterministic_blob_metadata = true diff --git a/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-2.toml b/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-2.toml index 5997957114..cf7e96ac78 100644 --- a/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-2.toml +++ b/tests/restarting/to_7.4.0/BlobGranuleRestartCorrectness-2.toml @@ -9,7 +9,6 @@ injectSSDelay = true [[knobs]] bg_metadata_source = "tenant" bg_key_tuple_truncate_offset = 1 -enable_configurable_encryption = true enable_rest_kms_communication = true deterministic_blob_metadata = true diff --git a/tests/slow/BlobGranuleCorrectness.toml b/tests/slow/BlobGranuleCorrectness.toml index 2614f60790..640615f03f 100644 --- a/tests/slow/BlobGranuleCorrectness.toml +++ b/tests/slow/BlobGranuleCorrectness.toml @@ -8,7 +8,6 @@ injectSSDelay = true [[knobs]] bg_metadata_source = "tenant" bg_key_tuple_truncate_offset = 1 -enable_configurable_encryption = true enable_rest_kms_communication = true [[test]] diff --git a/tests/slow/BlobGranuleCorrectnessClean.toml b/tests/slow/BlobGranuleCorrectnessClean.toml index 28c6ef663c..e7d4c143cb 100644 --- a/tests/slow/BlobGranuleCorrectnessClean.toml +++ b/tests/slow/BlobGranuleCorrectnessClean.toml @@ -5,7 +5,6 @@ tenantModes = ['optional', 'required'] [[knobs]] bg_metadata_source = "tenant" -enable_configurable_encryption = true enable_rest_kms_communication = true [[test]]