Add support for encryption at rest.

dgraph/cmd/alpha/run.go

@@ -36,6 +36,7 @@ import (
 	"github.com/dgraph-io/badger/v2/y"
 	"github.com/dgraph-io/dgo/v2/protos/api"
 	"github.com/dgraph-io/dgraph/edgraph"
+	"github.com/dgraph-io/dgraph/ee/enc"
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/schema"
 	"github.com/dgraph-io/dgraph/tok"
@@ -103,6 +104,10 @@ they form a Raft group and provide synchronous replication.
 	flag.String("badger.vlog", "mmap",
 		"[mmap, disk] Specifies how Badger Value log is stored."+
 			" mmap consumes more RAM, but provides better performance.")
+	flag.String("encryption_key_file", "",
+		"The file that stores the encryption key. The key size must be 16, 24, or 32 bytes long. "+
+			"The key size determines the corresponding block size for AES encryption "+
+			"(AES-128, AES-192, and AES-256 respectively). Enterprise feature.")
 
 	// Snapshot and Transactions.
 	flag.Int("snapshot_after", 10000,
@@ -425,8 +430,9 @@ func run() {
 	bindall = Alpha.Conf.GetBool("bindall")
 
 	opts := worker.Options{
-		BadgerTables: Alpha.Conf.GetString("badger.tables"),
-		BadgerVlog:   Alpha.Conf.GetString("badger.vlog"),
+		BadgerTables:  Alpha.Conf.GetString("badger.tables"),
+		BadgerVlog:    Alpha.Conf.GetString("badger.vlog"),
+		BadgerKeyFile: Alpha.Conf.GetString("encryption_key_file"),
 
 		PostingDir: Alpha.Conf.GetString("postings"),
 		WALDir:     Alpha.Conf.GetString("wal"),
@@ -436,6 +442,11 @@ func run() {
 		AllottedMemory: Alpha.Conf.GetFloat64("lru_mb"),
 	}
 
+	// OSS, non-nil key file --> crash
+	if !enc.EeBuild && opts.BadgerKeyFile != "" {
+		glog.Fatalf("Cannot enable encryption: %s", x.ErrNotSupported)
+	}
+
 	secretFile := Alpha.Conf.GetString("acl_secret_file")
 	if secretFile != "" {
 		hmacSecret, err := ioutil.ReadFile(secretFile)

dgraph/cmd/bulk/loader.go

@@ -48,6 +48,7 @@ type options struct {
 	OutDir           string
 	ReplaceOutDir    bool
 	TmpDir           string
+	BadgerKeyFile    string // used only in enterprise build. nil otherwise.
 	NumGoroutines    int
 	MapBufSize       uint64
 	SkipMapPhase     bool

dgraph/cmd/bulk/reduce.go

@@ -34,8 +34,10 @@ import (
 	bpb "github.com/dgraph-io/badger/v2/pb"
 	"github.com/dgraph-io/badger/v2/y"
 	"github.com/dgraph-io/dgraph/codec"
+	"github.com/dgraph-io/dgraph/ee/enc"
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/protos/pb"
+	"github.com/dgraph-io/dgraph/worker"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/gogo/protobuf/proto"
 )
@@ -88,11 +90,29 @@ func (r *reducer) run() error {
 }
 
 func (r *reducer) createBadger(i int) *badger.DB {
+	if r.opt.BadgerKeyFile != "" {
+		// need to set zero addr in WorkerConfig before doing license check.
+		x.WorkerConfig.ZeroAddr = r.opt.ZeroAddr
+		// non-nil key file
+		if !worker.EnterpriseEnabled() {
+			// not licensed --> crash.
+			log.Fatal("Enterprise License needed for the Encryption feature.")
+		} else {
+			// licensed --> OK.
+			log.Printf("Encryption feature enabled. Using encryption key file: %v", r.opt.BadgerKeyFile)
+		}
+	}
+
 	opt := badger.DefaultOptions(r.opt.shardOutputDirs[i]).WithSyncWrites(false).
 		WithTableLoadingMode(bo.MemoryMap).WithValueThreshold(1 << 10 /* 1 KB */).
-		WithLogger(nil).WithMaxCacheSize(1 << 20)
+		WithLogger(nil).WithMaxCacheSize(1 << 20).
+		WithEncryptionKey(enc.ReadEncryptionKeyFile(r.opt.BadgerKeyFile))
 	db, err := badger.OpenManaged(opt)
 	x.Check(err)
+
+	// zero out the key from memory.
+	opt.EncryptionKey = nil
+
 	r.dbs = append(r.dbs, db)
 	return db
 }

dgraph/cmd/bulk/run.go

@@ -29,6 +29,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/dgraph-io/dgraph/ee/enc"
 	"github.com/dgraph-io/dgraph/tok"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/spf13/cobra"
@@ -65,6 +66,11 @@ func init() {
 	flag.String("tmp", "tmp",
 		"Temp directory used to use for on-disk scratch space. Requires free space proportional"+
 			" to the size of the RDF file and the amount of indexing used.")
+	flag.String("encryption_key_file", "",
+		"The file that stores the encryption key. The key size must be 16, 24, or 32 bytes long. "+
+			"The key size determines the corresponding block size for AES encryption "+
+			"(AES-128, AES-192, and AES-256 respectively). Enterprise feature.")
+
 	flag.IntP("num_go_routines", "j", int(math.Ceil(float64(runtime.NumCPU())/4.0)),
 		"Number of worker threads to use. MORE THREADS LEAD TO HIGHER RAM USAGE.")
 	flag.Int64("mapoutput_mb", 64,
@@ -106,6 +112,7 @@ func run() {
 		OutDir:           Bulk.Conf.GetString("out"),
 		ReplaceOutDir:    Bulk.Conf.GetBool("replace_out"),
 		TmpDir:           Bulk.Conf.GetString("tmp"),
+		BadgerKeyFile:    Bulk.Conf.GetString("encryption_key_file"),
 		NumGoroutines:    Bulk.Conf.GetInt("num_go_routines"),
 		MapBufSize:       uint64(Bulk.Conf.GetInt("mapoutput_mb")),
 		SkipMapPhase:     Bulk.Conf.GetBool("skip_map_phase"),
@@ -126,6 +133,11 @@ func run() {
 	if opt.Version {
 		os.Exit(0)
 	}
+	// OSS, non-nil key file --> crash
+	if !enc.EeBuild && opt.BadgerKeyFile != "" {
+		fmt.Printf("Cannot enable encryption: %s", x.ErrNotSupported)
+		os.Exit(1)
+	}
 	if opt.SchemaFile == "" {
 		fmt.Fprint(os.Stderr, "Schema file must be specified.\n")
 		os.Exit(1)

dgraph/cmd/zero/run.go

@@ -208,6 +208,10 @@ func run() {
 	kv, err := badger.Open(kvOpt)
 	x.Checkf(err, "Error while opening WAL store")
 	defer kv.Close()
+
+	// zero out from memory
+	kvOpt.EncryptionKey = nil
+
 	store := raftwal.Init(kv, opts.nodeId, 0)
 
 	// Initialize the servers.

dgraph/docker-compose.yml

@@ -68,13 +68,17 @@ services:
         source: ../ee/acl/hmac-secret
         target: /dgraph-acl/hmac-secret
         read_only: true
+      - type: bind
+        source: ../ee/enc/enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
     ports:
       - 8180:8180
       - 9180:9180
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=alpha1:7180 --lru_mb=1024 --zero=zero1:5180 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
+    command: /gobin/dgraph alpha --encryption_key_file "/dgraph-enc/enc-key" --my=alpha1:7180 --lru_mb=1024 --zero=zero1:5180 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
 
   alpha2:
     image: dgraph/dgraph:latest
@@ -91,13 +95,17 @@ services:
         source: ../ee/acl/hmac-secret
         target: /dgraph-acl/hmac-secret
         read_only: true
+      - type: bind
+        source: ../ee/enc/enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
     ports:
       - 8182:8182
       - 9182:9182
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=alpha2:7182 --lru_mb=1024 --zero=zero1:5180 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
+    command: /gobin/dgraph alpha --encryption_key_file "/dgraph-enc/enc-key" --my=alpha2:7182 --lru_mb=1024 --zero=zero1:5180 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
 
   alpha3:
     image: dgraph/dgraph:latest
@@ -114,13 +122,17 @@ services:
         source: ../ee/acl/hmac-secret
         target: /dgraph-acl/hmac-secret
         read_only: true
+      - type: bind
+        source: ../ee/enc/enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
     ports:
       - 8183:8183
       - 9183:9183
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=alpha3:7183 --lru_mb=1024 --zero=zero1:5180 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
+    command: /gobin/dgraph alpha --encryption_key_file "/dgraph-enc/enc-key" --my=alpha3:7183 --lru_mb=1024 --zero=zero1:5180 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
 
   alpha4:
     image: dgraph/dgraph:latest
@@ -137,13 +149,17 @@ services:
         source: ../ee/acl/hmac-secret
         target: /dgraph-acl/hmac-secret
         read_only: true
+      - type: bind
+        source: ../ee/enc/enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
     ports:
       - 8184:8184
       - 9184:9184
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=alpha4:7184 --lru_mb=1024 --zero=zero1:5180 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
+    command: /gobin/dgraph alpha --encryption_key_file "/dgraph-enc/enc-key" --my=alpha4:7184 --lru_mb=1024 --zero=zero1:5180 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
 
   alpha5:
     image: dgraph/dgraph:latest
@@ -160,13 +176,17 @@ services:
         source: ../ee/acl/hmac-secret
         target: /dgraph-acl/hmac-secret
         read_only: true
+      - type: bind
+        source: ../ee/enc/enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
     ports:
       - 8185:8185
       - 9185:9185
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=alpha5:7185 --lru_mb=1024 --zero=zero1:5180 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
+    command: /gobin/dgraph alpha --encryption_key_file "/dgraph-enc/enc-key" --my=alpha5:7185 --lru_mb=1024 --zero=zero1:5180 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
 
   alpha6:
     image: dgraph/dgraph:latest
@@ -183,13 +203,17 @@ services:
         source: ../ee/acl/hmac-secret
         target: /dgraph-acl/hmac-secret
         read_only: true
+      - type: bind
+        source: ../ee/enc/enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
     ports:
       - 8186:8186
       - 9186:9186
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=alpha6:7186 --lru_mb=1024 --zero=zero1:5180 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
+    command: /gobin/dgraph alpha --encryption_key_file "/dgraph-enc/enc-key" --my=alpha6:7186 --lru_mb=1024 --zero=zero1:5180 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s --acl_cache_ttl 5s
 
   minio1:
     image: minio/minio:latest

ee/enc/enc-key

@@ -0,0 +1 @@
+123456789012345

ee/enc/util.go

@@ -0,0 +1,30 @@
+// +build oss
+
+/*
+ * Copyright 2018 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package enc
+
+import "github.com/dgraph-io/dgraph/x"
+
+// Eebuild indicates if this is a Enterprise build.
+var EeBuild = false
+
+// ReadEncryptionKeyFile returns nil key for OSS build
+func ReadEncryptionKeyFile(filepath string) []byte {
+	x.AssertTruef(filepath == "", "encryption_key_file is an Enterprise only feature.")
+	return nil
+}

ee/enc/util_ee.go

@@ -0,0 +1,37 @@
+// +build !oss
+
+/*
+ * Copyright 2018 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Dgraph Community License (the "License"); you
+ * may not use this file except in compliance with the License. You
+ * may obtain a copy of the License at
+ *
+ *     https://github.com/dgraph-io/dgraph/blob/master/licenses/DCL.txt
+ */
+
+package enc
+
+import (
+	"github.com/dgraph-io/dgraph/x"
+	"io/ioutil"
+)
+
+// EeBuild indicates if this is a Enterprise build.
+var EeBuild = true
+
+// ReadEncryptionKeyFile returns the encryption key in the given file.
+func ReadEncryptionKeyFile(filepath string) []byte {
+	if filepath == "" {
+		return nil
+	}
+	k, err := ioutil.ReadFile(filepath)
+	x.Checkf(err, "Error reading encryption key file (%v)", filepath)
+
+	// len must be 16,24,32 bytes if given. All other lengths are invalid.
+	klen := len(k)
+	x.AssertTruef(klen == 16 || klen == 24 || klen == 32,
+		"Invalid encryption key length = %v", klen)
+
+	return k
+}

worker/config.go

@@ -44,6 +44,8 @@ type Options struct {
 	BadgerTables string
 	// BadgerVlog is the name of the mode used to load the badger value log.
 	BadgerVlog string
+	// BadgerKeyFile is the file containing the key used for encryption. Enterprise only feature.
+	BadgerKeyFile string
 	// WALDir is the path to the directory storing the write-ahead log.
 	WALDir string
 	// MutationsMode is the mode used to handle mutation requests.