Merge 'EAR: deprecate the replicated key provider' from Calle Wilund

Refs #22733. Adds runtime warning and docs info that replicated provider is deprecated and will be removed. Fixes #27292 Closes scylladb/scylladb#27270 * github.com:scylladb/scylladb: docs::encryption: Add warning that replicated provider is deprecated ent::encryption: Switch default key provider from replicated to local replicated_key_provider: Add deprecation warning on usage
2026-01-14 13:47:23 +02:00
parent 6b5923c64e 5f53d7852e
commit 551eecab63
3 changed files with 39 additions and 12 deletions
--- a/docs/operating-scylla/security/encryption-at-rest.rst
+++ b/docs/operating-scylla/security/encryption-at-rest.rst
@@ -154,7 +154,7 @@ is holding your keys. You can use the following options:
   * - Local Key Provider
     - ``LocalFileSystemKeyProviderFactory`` (**default**)
     - Stores the key on the same machine as the data.
-   * - Replicated Key Provider
+   * - Replicated Key Provider (**deprecated**)
     - ``ReplicatedKeyProviderFactory``
     - Stores table keys in a ScyllaDB table where the table itself is encrypted
       using the system key.
@@ -183,13 +183,14 @@ Local Key Provider

   The Local Key Provider is less safe than other options and as such it is not
   recommended for production use. It is the default key provider for the
-   node-local encryption configuration in ``scylla.yaml`` because it does not
-   require any external resources. In production environments, it is recommended
-   to use an external KMS instead.
+   node-local encryption configuration in ``scylla.yaml`` and table encryption 
+   because it does not require any external resources. 
+   In production environments, it is recommended to use an external KMS instead.

 The Local Key Provider is the default key provider for the node-local encryption
 configuration in ScyllaDB (``user_info_encryption`` and ``system_info_encryption``
-in ``scylla.yaml``). It stores the encryption keys locally on disk in a text file.
+in ``scylla.yaml``) as well as table encryption. 
+It stores the encryption keys locally on disk in a text file.
 The location of this file is specified in ``scylla.yaml``, or in the table schema.
 The user has the option to generate the key(s) themselves, or let ScyllaDB
 generate the key(s) for them.
@@ -210,16 +211,18 @@ Replicated Key Provider

 .. note::

+   **Warning**: The replicated key provider is deprecated and will be removed 
+   in a future ScyllaDB release.
+
   The Replicated Key Provider is not recommended for production use because it
   does not support key rotation. For compatibility with DataStax Cassandra, it
   is the default key provider for per-table encryption setup. In production
   environments, an external KMS should be used instead.

-The Replicated Key Provider is the default key provider for per-table encryption
-setup in ScyllaDB (``scylla_encryption_options`` in table schema). It stores and
-distributes the encryption keys across every node in the cluster through a
-special ScyllaDB system table (``system_replicated_keys.encrypted_keys``). The
-Replicated Key Provider requires two additional keys to operate:
+The Replicated Key Provider stores and distributes the encryption keys across 
+every node in the cluster through a special ScyllaDB system table 
+(``system_replicated_keys.encrypted_keys``). The Replicated Key Provider 
+requires two additional keys to operate:

 * A system key - used to encrypt the data in the system table. The system key
  can be either a local key, or a KMIP key.
@@ -302,7 +305,7 @@ Depending on your key provider, you will either have the option to allow
 ScyllaDB to generate an encryption key, or you will have to provide one:

 * Local Key Provider - you can provide your own keys, otherwise ScyllaDB will generate them for you
-* Replicated Key Provider - you must generate a system key yourself
+* Replicated Key Provider - you must generate a system key yourself (**deprecated**)
 * KMIP Key Provider - you can provide your own keys, otherwise ScyllaDB will generate them for you
 * KMS Key Provider - you must generate a key yourself in AWS
 * GCP Key Provider - you must generate a key yourself in GCP
@@ -432,6 +435,8 @@ desired key provider:
         You cannot use the same key for both the system key and the local
         secret key. They must be different keys.

+         **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
   .. group-tab:: KMIP Key Provider

      The KMIP Key Provider will first try to discover existing keys in the KMIP
@@ -994,6 +999,8 @@ in the ``scylla.yaml`` file.
      The Replicated Key Provider cannot be used in ``user_info_encryption``.
      You can only use it to :ref:`Encrypt a Single Table <ear-create-table>`.

+      **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
   .. group-tab:: KMIP Key Provider

      * Make sure to :ref:`set up a KMIP Host <encryption-at-rest-set-kmip>`.
@@ -1075,6 +1082,8 @@ in the ``scylla.yaml`` file.
         The Replicated Key Provider cannot be used in ``user_info_encryption``.
         You can only use it to :ref:`Encrypt a Single Table <ear-create-table>`.

+         **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
      .. group-tab:: KMIP Key Provider

         .. code-block:: yaml
@@ -1296,6 +1305,8 @@ This procedure demonstrates how to encrypt a new table.

   .. group-tab:: Replicated Key Provider

+      **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
      * Ensure you have a system key. The system key can be either a local key,
        or a KMIP key. If you don't have a system key, create one by following
        the procedure in :ref:`Create Encryption Keys <ear-create-encryption-key>`.
@@ -1397,6 +1408,7 @@ This procedure demonstrates how to encrypt a new table.
            ;

      .. group-tab:: Replicated Key Provider
+         **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.

         .. code-block:: cql

@@ -1821,6 +1833,8 @@ Once this encryption is enabled, it is used for all system data.
      The Replicated Key Provider cannot be used for system encryption. You can
      only use it to :ref:`Encrypt a Single Table <ear-create-table>`.

+      **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
   .. group-tab:: KMIP Key Provider

      * Make sure to :ref:`set up a KMIP Host <encryption-at-rest-set-kmip>`.
@@ -1902,6 +1916,8 @@ Once this encryption is enabled, it is used for all system data.
         The Replicated Key Provider cannot be used for system encryption. You
         can only use it to :ref:`Encrypt a Single Table <ear-create-table>`.

+         **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
      .. group-tab:: KMIP Key Provider

         .. code-block:: yaml
@@ -2127,6 +2143,8 @@ varies depending on the key provider you are using.
      The Replicated Key Provider does not support key rotation. If you need to
      rotate keys, you must migrate to a different key provider.

+      **Warning**: The replicated key provider is deprecated and will be removed in a future ScyllaDB release.
+
   .. group-tab:: KMIP Key Provider

      .. DSE docs: https://docs.datastax.com/en/dse/6.9/securing/configure-kmip-encryption.html?#secRekeyKMIP
--- a/ent/encryption/encryption.cc
+++ b/ent/encryption/encryption.cc
@@ -319,7 +319,7 @@ public:

        auto provider_class = opts(KEY_PROVIDER);
        if (!provider_class) {
-            provider_class = opts(SECRET_KEY_PROVIDER_FACTORY_CLASS).value_or(REPLICATED_KEY_PROVIDER_FACTORY);
+            provider_class = opts(SECRET_KEY_PROVIDER_FACTORY_CLASS).value_or(LOCAL_FILE_SYSTEM_KEY_PROVIDER_FACTORY);
        }
        if (provider_class->empty() || ::strcasecmp(provider_class->c_str(), "none") == 0) {
            return {};
--- a/ent/encryption/replicated_key_provider.cc
+++ b/ent/encryption/replicated_key_provider.cc
@@ -43,6 +43,7 @@
 #include "db/system_keyspace.hh"
 #include "db/extensions.hh"
 #include "locator/everywhere_replication_strategy.hh"
+#include "release.hh"

 namespace encryption {

@@ -432,6 +433,14 @@ replicated_key_provider_factory::~replicated_key_provider_factory()
 namespace bfs = std::filesystem;

 shared_ptr<key_provider> replicated_key_provider_factory::get_provider(encryption_context& ctxt, const options& map) {
+    static bool did_warn = false;
+
+    if (!std::exchange(did_warn, true)) {
+        log.warn("ReplicatedKeyProviderFactory is deprecated and will be removed in a future release.");
+        log.warn("Please consult the Scylla documentation on how to migrate to a supported key provider.");
+        log.warn("For more info see: {}", doc_link("operating-scylla/security/encryption-at-rest.html"));
+    }
+
    opt_wrapper opts(map);
    auto system_key_name = opts(SYSTEM_KEY_FILE).value_or("system_key");
    if (system_key_name.find('/') != sstring::npos) {