github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/ccl/storageccl/engineccl/enginepbccl/key_registry.proto (about)

     1  // Copyright 2017 The Cockroach Authors.
     2  //
     3  // Licensed as a CockroachDB Enterprise file under the Cockroach Community
     4  // License (the "License"); you may not use this file except in compliance with
     5  // the License. You may obtain a copy of the License at
     6  //
     7  //     https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt
     8  
     9  syntax = "proto3";
    10  package cockroach.ccl.storageccl.engineccl.enginepbccl;
    11  option go_package = "enginepbccl";
    12  
    13  import "gogoproto/gogo.proto";
    14  
    15  enum EncryptionType {
    16    // No encryption.
    17    Plaintext = 0;
    18    // AES in counter mode with various key lengths.
    19    AES128_CTR = 1;
    20    AES192_CTR = 2;
    21    AES256_CTR = 3;
    22  }
    23  
    24  // DataKeysRegistry contains all data keys (including the raw key) as well
    25  // as store key information (excluding raw key).
    26  // This is written to disk.
    27  message DataKeysRegistry {
    28    // Map of key_id to KeyInfo (raw key is not included).
    29    map<string, KeyInfo> store_keys = 1;
    30    // Map of key_id to SecretKey (raw key is included).
    31    map<string, SecretKey> data_keys = 2;
    32    // Active key IDs. Empty means no keys loaded yet.
    33    string active_store_key_id = 3;
    34    string active_data_key_id = 4;
    35  }
    36  
    37  // KeyInfo contains information about the key, but not the key itself.
    38  // This is safe to pass around, log, and store.
    39  message KeyInfo {
    40    // EncryptionType is the type of encryption (aka: cipher) used with this key.
    41    EncryptionType encryption_type = 1;
    42    // The ID (hash) of this key.
    43    string key_id = 2;
    44    // First time this key was seen (in seconds since epoch).
    45    int64 creation_time = 3;
    46    // Source is a description of the source. This could be a filename,
    47    // or the key manager that made the key. eg: "data key manager".
    48    string source = 4;
    49  
    50    // Was exposed is true if we ever wrote the key in plaintext.
    51    // This does not apply to store keys, only data keys.
    52    bool was_exposed = 5;
    53    // ID of the key that caused this key to be created.
    54    string parent_key_id = 6;
    55  }
    56  
    57  // SecretKey contains the information about the key AND the raw key itself.
    58  // This should never be logged, displayed, or stored outside of the key registry.
    59  // The name is intended to make users of the key wary of the usage.
    60  message SecretKey {
    61    KeyInfo info = 1;
    62    // The raw key.
    63    bytes key = 2;
    64  }
    65  
    66  // EncryptionSettings describes the encryption settings for a file.
    67  // This is stored as a protobuf.Any inside the FileEntry as described in:
    68  // pkg/storage/enginepb/file_registry.proto
    69  message EncryptionSettings {
    70    EncryptionType encryption_type = 1;
    71  
    72    // Fields for AES-CTR. Empty when encryption_type = Plaintext.
    73    string key_id = 2;
    74    // len(nonce) + sizeof(counter) should add up to AES_Blocksize (128 bits).
    75    bytes nonce = 3;    // 12 bytes
    76    uint32 counter = 4; // 4 bytes
    77  }