github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/ccl/storageccl/engineccl/enginepbccl/key_registry.proto (about) 1 // Copyright 2017 The Cockroach Authors. 2 // 3 // Licensed as a CockroachDB Enterprise file under the Cockroach Community 4 // License (the "License"); you may not use this file except in compliance with 5 // the License. You may obtain a copy of the License at 6 // 7 // https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt 8 9 syntax = "proto3"; 10 package cockroach.ccl.storageccl.engineccl.enginepbccl; 11 option go_package = "enginepbccl"; 12 13 import "gogoproto/gogo.proto"; 14 15 enum EncryptionType { 16 // No encryption. 17 Plaintext = 0; 18 // AES in counter mode with various key lengths. 19 AES128_CTR = 1; 20 AES192_CTR = 2; 21 AES256_CTR = 3; 22 } 23 24 // DataKeysRegistry contains all data keys (including the raw key) as well 25 // as store key information (excluding raw key). 26 // This is written to disk. 27 message DataKeysRegistry { 28 // Map of key_id to KeyInfo (raw key is not included). 29 map<string, KeyInfo> store_keys = 1; 30 // Map of key_id to SecretKey (raw key is included). 31 map<string, SecretKey> data_keys = 2; 32 // Active key IDs. Empty means no keys loaded yet. 33 string active_store_key_id = 3; 34 string active_data_key_id = 4; 35 } 36 37 // KeyInfo contains information about the key, but not the key itself. 38 // This is safe to pass around, log, and store. 39 message KeyInfo { 40 // EncryptionType is the type of encryption (aka: cipher) used with this key. 41 EncryptionType encryption_type = 1; 42 // The ID (hash) of this key. 43 string key_id = 2; 44 // First time this key was seen (in seconds since epoch). 45 int64 creation_time = 3; 46 // Source is a description of the source. This could be a filename, 47 // or the key manager that made the key. eg: "data key manager". 48 string source = 4; 49 50 // Was exposed is true if we ever wrote the key in plaintext. 51 // This does not apply to store keys, only data keys. 52 bool was_exposed = 5; 53 // ID of the key that caused this key to be created. 54 string parent_key_id = 6; 55 } 56 57 // SecretKey contains the information about the key AND the raw key itself. 58 // This should never be logged, displayed, or stored outside of the key registry. 59 // The name is intended to make users of the key wary of the usage. 60 message SecretKey { 61 KeyInfo info = 1; 62 // The raw key. 63 bytes key = 2; 64 } 65 66 // EncryptionSettings describes the encryption settings for a file. 67 // This is stored as a protobuf.Any inside the FileEntry as described in: 68 // pkg/storage/enginepb/file_registry.proto 69 message EncryptionSettings { 70 EncryptionType encryption_type = 1; 71 72 // Fields for AES-CTR. Empty when encryption_type = Plaintext. 73 string key_id = 2; 74 // len(nonce) + sizeof(counter) should add up to AES_Blocksize (128 bits). 75 bytes nonce = 3; // 12 bytes 76 uint32 counter = 4; // 4 bytes 77 }