ydb-platform · sharpeye · Dec 9, 2024 · Nov 28, 2024 · Nov 28, 2024 · Nov 28, 2024
diff --git a/cloud/blockstore/config/storage.proto b/cloud/blockstore/config/storage.proto
@@ -1068,4 +1068,7 @@ message TStorageServiceConfig
     // When enabled, the Disk Registry REMOVE_HOST CMS action will "forget"
     // agents devices and suspend local devices.
     optional bool DiskRegistryCleanupConfigOnRemoveHost = 392;
+
+    // Enables the encryption at rest for Disk Registry based disks.
+    optional bool EncryptionAtRestForDiskRegistryBasedDisksEnabled = 393;
 }
diff --git a/cloud/blockstore/libs/daemon/ydb/bootstrap.cpp b/cloud/blockstore/libs/daemon/ydb/bootstrap.cpp
@@ -573,6 +573,7 @@ void TBootstrapYdb::InitKikimrService()
         }();
     args.VolumeBalancerSwitch = VolumeBalancerSwitch;
     args.EndpointEventHandler = EndpointEventHandler;
+    args.RootKmsKeyProvider = RootKmsKeyProvider;
 
     ActorSystem = NStorage::CreateActorSystem(args);
 

diff --git a/cloud/blockstore/libs/daemon/ydb/config_initializer.cpp b/cloud/blockstore/libs/daemon/ydb/config_initializer.cpp
@@ -37,7 +37,7 @@ using namespace NCloud::NBlockStore::NDiscovery;
 ////////////////////////////////////////////////////////////////////////////////
 
 TConfigInitializerYdb::TConfigInitializerYdb(TOptionsYdbPtr options)
-        : TConfigInitializerCommon(options)
+    : TConfigInitializerCommon(options)
     , NCloud::NStorage::TConfigInitializerYdbBase(options)
     , Options(options)
 {}

diff --git a/cloud/blockstore/libs/root_kms/impl/client.cpp b/cloud/blockstore/libs/root_kms/impl/client.cpp
@@ -214,9 +214,7 @@ TRootKmsClient::TRootKmsClient(
         TCreateRootKmsClientParams params)
     : Logging(std::move(logging))
     , Params(std::move(params))
-    , Log(Logging->CreateLog("ROOT_KMS_CLIENT"))
-{
-}
+{}
 
 TRootKmsClient::~TRootKmsClient()
 {
@@ -225,6 +223,8 @@ TRootKmsClient::~TRootKmsClient()
 
 void TRootKmsClient::Start()
 {
+    Log = Logging->CreateLog("ROOT_KMS_CLIENT");
+
     grpc::SslCredentialsOptions sslOpts{
         .pem_root_certs = ReadFile(Params.RootCertsFile),
         .pem_private_key = ReadFile(Params.PrivateKeyFile),

diff --git a/cloud/blockstore/libs/storage/core/config.cpp b/cloud/blockstore/libs/storage/core/config.cpp
@@ -516,6 +516,8 @@ TDuration MSeconds(ui32 value)
     xxx(DiskRegistryDisksNotificationTimeout,           TDuration, Seconds(5)    )\
     xxx(BlobStorageAsyncGetTimeoutHDD,                  TDuration, Seconds(0)    )\
     xxx(BlobStorageAsyncGetTimeoutSSD,                  TDuration, Seconds(0)    )\
+                                                                               \
+    xxx(EncryptionAtRestForDiskRegistryBasedDisksEnabled, bool,    false     ) \
 
 // BLOCKSTORE_STORAGE_CONFIG_RW
 
@@ -546,6 +548,7 @@ BLOCKSTORE_STORAGE_CONFIG(BLOCKSTORE_STORAGE_DECLARE_CONFIG)
     xxx(ReplaceDevice)                                                         \
     xxx(UseNonReplicatedHDDInsteadOfReplicated)                                \
     xxx(AddingUnconfirmedBlobs)                                                \
+    xxx(EncryptionAtRestForDiskRegistryBasedDisks)                             \
 
 // BLOCKSTORE_BINARY_FEATURES
 

diff --git a/cloud/blockstore/libs/storage/core/config.h b/cloud/blockstore/libs/storage/core/config.h
@@ -361,6 +361,11 @@ class TStorageConfig
         const TString& folderId,
         const TString& diskId) const;
 
+    [[nodiscard]] bool IsEncryptionAtRestForDiskRegistryBasedDisksFeatureEnabled(
+        const TString& cloudId,
+        const TString& folderId,
+        const TString& diskId) const;
+
     TDuration GetMaxTimedOutDeviceStateDurationFeatureValue(
         const TString& cloudId,
         const TString& folderId,
@@ -613,6 +618,8 @@ class TStorageConfig
 
     TDuration GetBlobStorageAsyncGetTimeoutHDD() const;
     TDuration GetBlobStorageAsyncGetTimeoutSSD() const;
+
+    [[nodiscard]] bool GetEncryptionAtRestForDiskRegistryBasedDisksEnabled() const;
 };
 
 ui64 GetAllocationUnit(

diff --git a/cloud/blockstore/libs/storage/core/proto_helpers.cpp b/cloud/blockstore/libs/storage/core/proto_helpers.cpp
@@ -100,6 +100,13 @@ NProto::TEncryptionDesc ConvertToEncryptionDesc(
     NProto::TEncryptionDesc resultDesc;
     resultDesc.SetMode(mode);
     resultDesc.SetKeyHash(desc.GetKeyHash());
+
+    if (desc.HasEncryptedDataKey()) {
+        auto& key = *resultDesc.MutableEncryptionKey();
+        key.SetKekId(desc.GetEncryptedDataKey().GetKekId());
+        key.SetEncryptedDEK(desc.GetEncryptedDataKey().GetCiphertext());
+    }
+
     return resultDesc;
 }
 

diff --git a/cloud/blockstore/libs/storage/init/server/actorsystem.cpp b/cloud/blockstore/libs/storage/init/server/actorsystem.cpp
@@ -216,7 +216,8 @@ class TStorageServicesInitializer final
             Args.EndpointEventHandler,
             Args.RdmaClient,
             Args.VolumeStats,
-            Args.PreemptedVolumes);
+            Args.PreemptedVolumes,
+            Args.RootKmsKeyProvider);
 
         setup->LocalServices.emplace_back(
             MakeStorageServiceId(),

diff --git a/cloud/blockstore/libs/storage/init/server/actorsystem.h b/cloud/blockstore/libs/storage/init/server/actorsystem.h
@@ -5,6 +5,7 @@
 #include <cloud/blockstore/libs/common/public.h>
 #include <cloud/blockstore/libs/diagnostics/public.h>
 #include <cloud/blockstore/libs/discovery/public.h>
+#include <cloud/blockstore/libs/encryption/public.h>
 #include <cloud/blockstore/libs/endpoints/public.h>
 #include <cloud/blockstore/libs/kikimr/public.h>
 #include <cloud/blockstore/libs/nvme/public.h>
@@ -65,6 +66,7 @@ struct TServerActorSystemArgs
     NNvme::INvmeManagerPtr NvmeManager;
     IVolumeBalancerSwitchPtr VolumeBalancerSwitch;
     NServer::IEndpointEventHandlerPtr EndpointEventHandler;
+    IRootKmsKeyProviderPtr RootKmsKeyProvider;
 
     TVector<NCloud::NStorage::IUserMetricsSupplierPtr> UserCounterProviders;
 

diff --git a/cloud/blockstore/libs/storage/service/service.cpp b/cloud/blockstore/libs/storage/service/service.cpp
@@ -18,7 +18,8 @@ IActorPtr CreateStorageService(
     NServer::IEndpointEventHandlerPtr endpointEventHandler,
     NRdma::IClientPtr rdmaClient,
     IVolumeStatsPtr volumeStats,
-    TManuallyPreemptedVolumesPtr preemptedVolumes)
+    TManuallyPreemptedVolumesPtr preemptedVolumes,
+    IRootKmsKeyProviderPtr rootKmsKeyProvider)
 {
     return std::make_unique<TServiceActor>(
         std::move(config),
@@ -30,7 +31,8 @@ IActorPtr CreateStorageService(
         std::move(endpointEventHandler),
         std::move(rdmaClient),
         std::move(volumeStats),
-        std::move(preemptedVolumes));
+        std::move(preemptedVolumes),
+        std::move(rootKmsKeyProvider));
 }
 
 }   // namespace NCloud::NBlockStore::NStorage
diff --git a/cloud/blockstore/libs/storage/service/service.h b/cloud/blockstore/libs/storage/service/service.h
@@ -4,6 +4,7 @@
 
 #include <cloud/blockstore/libs/diagnostics/public.h>
 #include <cloud/blockstore/libs/discovery/public.h>
+#include <cloud/blockstore/libs/encryption/public.h>
 #include <cloud/blockstore/libs/endpoints/public.h>
 #include <cloud/blockstore/libs/kikimr/public.h>
 #include <cloud/blockstore/libs/rdma/iface/public.h>
@@ -23,6 +24,7 @@ NActors::IActorPtr CreateStorageService(
     NServer::IEndpointEventHandlerPtr endpointEventHandler,
     NRdma::IClientPtr rdmaClient,
     IVolumeStatsPtr volumeStats,
-    TManuallyPreemptedVolumesPtr preemptedVolumes);
+    TManuallyPreemptedVolumesPtr preemptedVolumes,
+    IRootKmsKeyProviderPtr rootKmsKeyProvider);
 
 }   // namespace NCloud::NBlockStore::NStorage
diff --git a/cloud/blockstore/libs/storage/service/service_actor.cpp b/cloud/blockstore/libs/storage/service/service_actor.cpp
@@ -27,7 +27,8 @@ TServiceActor::TServiceActor(
         NServer::IEndpointEventHandlerPtr endpointEventHandler,
         NRdma::IClientPtr rdmaClient,
         IVolumeStatsPtr volumeStats,
-        TManuallyPreemptedVolumesPtr preemptedVolumes)
+        TManuallyPreemptedVolumesPtr preemptedVolumes,
+        IRootKmsKeyProviderPtr rootKmsKeyProvider)
     : Config(std::move(config))
     , DiagnosticsConfig(std::move(diagnosticsConfig))
     , ProfileLog(std::move(profileLog))
@@ -37,12 +38,12 @@ TServiceActor::TServiceActor(
     , EndpointEventHandler(std::move(endpointEventHandler))
     , RdmaClient(std::move(rdmaClient))
     , VolumeStats(std::move(volumeStats))
+    , RootKmsKeyProvider(std::move(rootKmsKeyProvider))
     , SharedCounters(MakeIntrusive<TSharedServiceCounters>(Config))
     , State(std::move(preemptedVolumes))
 {}
 
-TServiceActor::~TServiceActor()
-{}
+TServiceActor::~TServiceActor() = default;
 
 void TServiceActor::Bootstrap(const TActorContext& ctx)
 {

diff --git a/cloud/blockstore/libs/storage/service/service_actor.h b/cloud/blockstore/libs/storage/service/service_actor.h
@@ -10,6 +10,7 @@
 #include <cloud/blockstore/libs/diagnostics/public.h>
 #include <cloud/blockstore/libs/diagnostics/stats_aggregator.h>
 #include <cloud/blockstore/libs/discovery/discovery.h>
+#include <cloud/blockstore/libs/encryption/public.h>
 #include <cloud/blockstore/libs/endpoints/public.h>
 #include <cloud/blockstore/libs/kikimr/helpers.h>
 #include <cloud/blockstore/libs/rdma/iface/public.h>
@@ -47,6 +48,7 @@ class TServiceActor final
     const NServer::IEndpointEventHandlerPtr EndpointEventHandler;
     const NRdma::IClientPtr RdmaClient;
     const IVolumeStatsPtr VolumeStats;
+    const IRootKmsKeyProviderPtr RootKmsKeyProvider;
 
     TSharedServiceCountersPtr SharedCounters;
 
@@ -73,8 +75,9 @@ class TServiceActor final
         NServer::IEndpointEventHandlerPtr endpointEventHandler,
         NRdma::IClientPtr rdmaClient,
         IVolumeStatsPtr volumeStats,
-        TManuallyPreemptedVolumesPtr preemptedVolumes);
-    ~TServiceActor();
+        TManuallyPreemptedVolumesPtr preemptedVolumes,
+        IRootKmsKeyProviderPtr rootKmsKeyProvider);
+    ~TServiceActor() override;
 
     void Bootstrap(const NActors::TActorContext& ctx);