instaclustr / icarus

Sidecar for Cassandra with integrated backup / restore
https://instaclustr.com
Apache License 2.0
10 stars 5 forks source link

[FEATURE] Support for client-side encryption #7

Open JensRantil opened 3 years ago

JensRantil commented 3 years ago

Is your feature request related to a problem? Please describe. Problem is putting sensitive data in the cloud is scary.

Another thing is if one has multiple Cassandra clusters being backed up to the same S3 bucket, one might want to be able to use encryption to make sure one cannot restore other data from the bucket. This can obviously also be done with ACL, but encryption can be an additional layer against that.

Describe the solution you'd like I'd like

Describe alternatives you've considered Obviously you can enable server-side encryption in S3, but honestly that's semi-fake security (more compliance) and doens't really protect against an S3 bucket being accessed from the Internet etc. etc.

Additional context Does this feature need to live in Esop or Icarus? I assume both.

Har this been considered before? I'd be fine with supporting a single encryption key stored in a configuration file or something.

smiklosovic commented 3 years ago

Hi Jens,

thanks for reaching us.

I need to understand this properly, just to be sure. So, my understanding is that if you are uploading SSTable components via "HTTPS" via S3 client, is not that communication somehow protected already?

The "proper" solution, if you want to have these SSTables encrypted, is to encrypt it not by any tooling like this but they just need to be encrypted themselves. There should be encryption of SSTables implemented directly in Cassandra so we do not need to do something like this.

Long story short, this seems to be quite a big problem and even though we are trying to have encryption on SSTable level in Cassandra, all I can say is that, the most probably, that is just not going to happen anytime soon.

If you do not want to have your data in the cloud stored in plaintext and you are afraid that they would be accessed publicly (even though it is hard to believe this might be the case in any serious business entity but I understand mistakes happen), you are welcome to provide a PR which would solve this, I will gladly review it and eventually merge it.

Reading docs for S3 client encryption here (1), I think this (2) would need to be somehow accommodated to reflect what you want.

Just keep in mind to make it optional and command line / payload flag ridden so it can be turned on / off. (off by default).

(1) https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html (2) https://github.com/instaclustr/esop/blob/master/src/main/java/com/instaclustr/esop/s3/TransferManagerFactory.java#L58

JensRantil commented 3 years ago

I need to understand this properly, just to be sure. So, my understanding is that if you are uploading SSTable components via "HTTPS" via S3 client, is not that communication somehow protected already?

Sorry for late answer here. I was referring to data at rest here and given, like you say, Apache Cassandra will not implement sstable encryption for a while I think the best next step here is to implement so that Icarus encrypts sstables before uploading.

smiklosovic commented 3 years ago

Hi @JensRantil , we are implementing encryption for Cassandra (I am personally involved in this), but it is hard to give you any estimates when it will appear in a release. Maybe 4.1 if we are lucky. But it will not be in 3.11 ever. I will contemplate about Icarus encryption though.