Data Grid Encryption
Encryption of the data stored within the data grid of Hazelcast (the technology underpinning our deployment groups and clustering in Payara 5) has previously required a Hazelcast Enterprise subscription (see Payara Scales). While this remains an option for those who would like the additional features it provides (such as WAN replication), we’ve introduced our own encryption implementation into Payara Server to provide this feature to you without the additional subscription.
This feature provides encryption of the data that’s being stored in-memory via the Hazelcast data grid, providing end-to-end encryption of the data across all instances in the domain. End-to-end encryption is encryption of data both at rest (in storage) and in transit (during communication).
Payara Server uses a symmetric key to perform the encryption of the data within the data grid store. This means that the same key is used by each member of the data grid to encrypt and decrypt the data.
This key is generated and protected using the master password and a key derivation function. The key itself is a 256-bit AES key, utilising an initialisation vector and a salt for each call of encryption to help prevent any statistical pattern recognition.
The following data sources are encrypted:
Web Session Persistence
Stateful Session Bean Persistence
Historic Health Checks
This section details the necessary steps to set up and enable encryption of the data grid and the various data sources.
Documentation around configuration of the data sources for encryption assumes that you’ve already generated the encryption key and enabled encryption of the data grid.
The key to be used by Payara Server Enterprise to perform the actual encryption and decryption of data can be generated using the following command:
This command generates a key using the master password – the same one used to access the key store used by Payara Server.
Similar to the
change-master-password command, this command requires you to shut down the DAS to run the command.
|This command should only be run on the DAS since this is the master instance, and will be the instance propagating the key out to other instances in the domain.
The default value for the master password is changeit. You can also provide the master password via a password file like so:
asadmin -W /path/to/passwordfile.txt generate-encryption-key
Contents of passwordfile.txt:
If you change the master password after generating your key, you’ll need to regenerate and propagate the new key
to each of your instances since the original key was created using the old (and now incorrect) password. This should
occur under the default
--sync normal, but
--sync full can be used to delete the local copy and resync.
Enabling encryption of the data grid itself is controlled by the
set-hazelcast-configuration asadmin command,
set-hazelcast-configuration --encryptdatagrid true
This is a domain-wide setting, and thus means that hybrid setups where encryption is enabled only on specific clusters within a domain is not supported.
|Once you’ve generated your key and enabled encryption, you must restart all instances in the domain if they were still running; changes in encryption settings do not take effect until a server is restarted. It is highly recommended that you restart all of your running instances as quickly as possible, since those that haven’t been restarted will be unable to decrypt the encrypted data placed in the data grid store by those that have been.
Encrypting web session availability data requires no extra actions on top of configuring the Web Container Availiability Persistence Type to hazelcast (which it is by default).
Encrypting stateful session bean (SFSB) availability data requires no extra actions on top of configuring the EJB Container Availiability HA and/or SFSB Persistence Type to hazelcast (the default setting for the SFSB HA persistence type is hazelcast).