Skip to content

Commit

Permalink
issue-176: doc
Browse files Browse the repository at this point in the history
  • Loading branch information
sharpeye committed Nov 11, 2024
1 parent 34b31ed commit 6d7aa4d
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions doc/blockstore/storage/encryption-at-rest.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Encryption at rest (NRD/Mirrored)

## General information
The data encryption key (DEK) is stored in encrypted form in the volume metadata ([EncryptionDesc](../../../contrib/ydb/core/protos/blockstore_config.proto#L117)). For DEKs generating and encrypting the root key management service (RootKMS) is used. A master key that uses for encryption and decryption of DEKs is stored in RootKMS and is not transmitted in open form - requests to RootKMS use only the identificator of the master key. If the master key is compromised, a new one is generated and then all DEKs must be re-encrypted (and updated in the volume metadata) using the new master key.

## Creating a volume
NBS requests a new DEK from RootKMS, sending the master key identificator. The received encrypted DEK is stored in the volume metadata.

```mermaid
sequenceDiagram
participant NBS
participant RootKMS
NBS->>+RootKMS: generate DEK (master key id)
RootKMS-->>-NBS: encrypted DEK
NBS->>NBS: store DEK in VolumeConfig
```

## Mounting a volume
NBS requests a decrypted DEK from RootKMS, sending the encrypted DEK and the master key. The received DEK is used for the encryption/decryption of IO requests data. To handle IO requests the [TEncryptionClient](../../../cloud/blockstore/libs/encryption/encryption_client.cpp#L138) is used.

```mermaid
sequenceDiagram
participant NBS
participant RootKMS
NBS->>+RootKMS: decrypt DEK (master key id, encrypted DEK)
RootKMS-->>-NBS: DEK
NBS->>NBS: create TEncryptionClient (DEK)
```

0 comments on commit 6d7aa4d

Please sign in to comment.