storage: use EncryptionOptions instead of byte[]

Previously the encryption options were passed as a byte[] instead of
actual EncryptionOptions to allow them in CCL code. This change removes
the unnecessary conversion.

Epic: CRDB-41111

Release note: None

Author: andrewbaptist

pkg/base/config.go

@@ -18,6 +18,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
+	"github.com/cockroachdb/cockroach/pkg/storage/storagepb"
 	"github.com/cockroachdb/cockroach/pkg/util/envutil"
 	"github.com/cockroachdb/cockroach/pkg/util/mon"
 	"github.com/cockroachdb/cockroach/pkg/util/retry"
@@ -933,10 +934,8 @@ type WALFailoverConfig struct {
 // configuration.
 type ExternalPath struct {
 	Path string
-	// EncryptionOptions is a serialized protobuf set by Go CCL code describing
-	// the encryption-at-rest configuration. If encryption-at-rest has ever been
-	// enabled on the store, this field must be set.
-	EncryptionOptions []byte
+	// EncryptionOptions is set if encryption is enabled.
+	EncryptionOptions *storagepb.EncryptionOptions
 }
 
 // IsSet returns whether or not the external path was provided.

pkg/base/store_spec.go

@@ -215,10 +215,8 @@ type StoreSpec struct {
 	// delete_range_flush_delay=2s
 	// flush_split_bytes=4096
 	PebbleOptions string
-	// EncryptionOptions is a serialized protobuf set by Go CCL code and passed
-	// through to C CCL code to set up encryption-at-rest.  Must be set if and
-	// only if encryption is enabled, otherwise left empty.
-	EncryptionOptions []byte
+	// EncryptionOptions is set if encryption is enabled.
+	EncryptionOptions *storagepb.EncryptionOptions
 	// ProvisionedRateSpec is optional.
 	ProvisionedRateSpec ProvisionedRateSpec
 }
@@ -276,7 +274,7 @@ func (ss StoreSpec) String() string {
 
 // IsEncrypted returns whether the StoreSpec has encryption enabled.
 func (ss StoreSpec) IsEncrypted() bool {
-	return len(ss.EncryptionOptions) > 0
+	return ss.EncryptionOptions != nil
 }
 
 // fractionRegex is the regular expression that recognizes whether
@@ -639,16 +637,12 @@ func PopulateWithEncryptionOpts(
 			}
 
 			// Found a matching path.
-			if len(storeSpecs.Specs[i].EncryptionOptions) > 0 {
+			if storeSpecs.Specs[i].EncryptionOptions != nil {
 				return fmt.Errorf("store with path %s already has an encryption setting",
 					storeSpecs.Specs[i].Path)
 			}
 
-			opts, err := es.ToEncryptionOptions()
-			if err != nil {
-				return err
-			}
-			storeSpecs.Specs[i].EncryptionOptions = opts
+			storeSpecs.Specs[i].EncryptionOptions = &es.Options
 			found = true
 			break
 		}
@@ -661,15 +655,11 @@ func PopulateWithEncryptionOpts(
 			// WALFailoverConfig.PrevPath are only ever set in single-store
 			// configurations. In multi-store with among-stores failover mode, these
 			// will be empty (so we won't encounter the same path twice).
-			if len(externalPath.EncryptionOptions) > 0 {
+			if externalPath.EncryptionOptions != nil {
 				return fmt.Errorf("WAL failover path %s already has an encryption setting",
 					externalPath.Path)
 			}
-			opts, err := es.ToEncryptionOptions()
-			if err != nil {
-				return err
-			}
-			externalPath.EncryptionOptions = opts
+			externalPath.EncryptionOptions = &es.Options
 			found = true
 		}
 

pkg/ccl/storageccl/engineccl/encrypted_fs.go

@@ -287,17 +287,16 @@ func init() {
 }
 
 // newEncryptedEnv creates an encrypted environment and returns the vfs.FS to use for reading and
-// writing data. The optionBytes is a binary serialized storagepb.EncryptionOptions, so that non-CCL
-// code does not depend on CCL code.
+// writing data.
 //
 // See the comment at the top of this file for the structure of this environment.
 func newEncryptedEnv(
-	unencryptedFS vfs.FS, fr *fs.FileRegistry, dbDir string, readOnly bool, optionBytes []byte,
+	unencryptedFS vfs.FS,
+	fr *fs.FileRegistry,
+	dbDir string,
+	readOnly bool,
+	options *storagepb.EncryptionOptions,
 ) (*fs.EncryptionEnv, error) {
-	options := &storagepb.EncryptionOptions{}
-	if err := protoutil.Unmarshal(optionBytes, options); err != nil {
-		return nil, err
-	}
 	if options.KeySource != storagepb.EncryptionKeySource_KeyFiles {
 		return nil, fmt.Errorf("unknown encryption key source: %d", options.KeySource)
 	}

pkg/ccl/storageccl/engineccl/encrypted_fs_test.go

@@ -236,15 +236,14 @@ func TestPebbleEncryption(t *testing.T) {
 	keyFile128 := "111111111111111111111111111111111234567890123456"
 	writeToFile(t, stickyRegistry.Get(stickyVFSID), "16.key", []byte(keyFile128))
 
-	encOptionsBytes, err := protoutil.Marshal(&storagepb.EncryptionOptions{
+	encOptions := &storagepb.EncryptionOptions{
 		KeySource: storagepb.EncryptionKeySource_KeyFiles,
 		KeyFiles: &storagepb.EncryptionKeyFiles{
 			CurrentKey: "16.key",
 			OldKey:     "plain",
 		},
 		DataKeyRotationPeriod: 1000, // arbitrary seconds
-	})
-	require.NoError(t, err)
+	}
 
 	func() {
 		// Initialize the filesystem env.
@@ -254,7 +253,7 @@ func TestPebbleEncryption(t *testing.T) {
 				InMemory:          true,
 				Attributes:        roachpb.Attributes{},
 				Size:              base.SizeSpec{InBytes: 512 << 20},
-				EncryptionOptions: encOptionsBytes,
+				EncryptionOptions: encOptions,
 				StickyVFSID:       stickyVFSID,
 			},
 			fs.ReadWrite,
@@ -303,7 +302,7 @@ func TestPebbleEncryption(t *testing.T) {
 				InMemory:          true,
 				Attributes:        roachpb.Attributes{},
 				Size:              base.SizeSpec{InBytes: 512 << 20},
-				EncryptionOptions: encOptionsBytes,
+				EncryptionOptions: encOptions,
 				StickyVFSID:       stickyVFSID,
 			},
 			fs.ReadWrite,
@@ -374,15 +373,14 @@ func TestPebbleEncryption2(t *testing.T) {
 	addKeyAndValidate := func(
 		key string, val string, encKeyFile string, oldEncFileKey string,
 	) {
-		encOptionsBytes, err := protoutil.Marshal(&storagepb.EncryptionOptions{
+		encOptions := &storagepb.EncryptionOptions{
 			KeySource: storagepb.EncryptionKeySource_KeyFiles,
 			KeyFiles: &storagepb.EncryptionKeyFiles{
 				CurrentKey: encKeyFile,
 				OldKey:     oldEncFileKey,
 			},
 			DataKeyRotationPeriod: 1000,
-		})
-		require.NoError(t, err)
+		}
 
 		// Initialize the filesystem env.
 		ctx := context.Background()
@@ -392,7 +390,7 @@ func TestPebbleEncryption2(t *testing.T) {
 				InMemory:          true,
 				Attributes:        roachpb.Attributes{},
 				Size:              base.SizeSpec{InBytes: 512 << 20},
-				EncryptionOptions: encOptionsBytes,
+				EncryptionOptions: encOptions,
 				StickyVFSID:       stickyVFSID,
 			},
 			fs.ReadWrite,
@@ -507,10 +505,10 @@ func (ptfs *plainTestFS) syncDir(t *testing.T) {}
 // encryptedTestFS is the encrypted FS being tested.
 type encryptedTestFS struct {
 	// The base strict FS which is wrapped for error injection and encryption.
-	mem             *vfs.MemFS
-	encOptionsBytes []byte
-	errorProb       float64
-	errorRand       *rand.Rand
+	mem        *vfs.MemFS
+	encOptions *storagepb.EncryptionOptions
+	errorProb  float64
+	errorRand  *rand.Rand
 
 	encEnv *fs.EncryptionEnv
 }
@@ -543,7 +541,7 @@ func (etfs *encryptedTestFS) restart() error {
 		return err
 	}
 	encEnv, err := newEncryptedEnv(
-		fsMeta, fileRegistry, "", false, etfs.encOptionsBytes)
+		fsMeta, fileRegistry, "", false, etfs.encOptions)
 	if err != nil {
 		return err
 	}
@@ -574,14 +572,12 @@ func makeEncryptedTestFS(t *testing.T, errorProb float64, errorRand *rand.Rand)
 	// TODO(sumeer): Do deterministic data key rotation. Inject kmTimeNow and
 	// operations that advance time.
 	encOptions.DataKeyRotationPeriod = 100000
-	encOptionsBytes, err := protoutil.Marshal(&encOptions)
-	require.NoError(t, err)
 	etfs := &encryptedTestFS{
-		mem:             mem,
-		encOptionsBytes: encOptionsBytes,
-		errorProb:       errorProb,
-		errorRand:       errorRand,
-		encEnv:          nil,
+		mem:        mem,
+		encOptions: &encOptions,
+		errorProb:  errorProb,
+		errorRand:  errorRand,
+		encEnv:     nil,
 	}
 	require.NoError(t, etfs.restart())
 	return etfs

pkg/cli/ear_test.go

@@ -46,8 +46,7 @@ func TestDecrypt(t *testing.T) {
 	encSpecStr := fmt.Sprintf("path=%s,key=%s,old-key=plain", dir, keyPath)
 	encSpec, err := storagepb.NewStoreEncryptionSpec(encSpecStr)
 	require.NoError(t, err)
-	encOpts, err := encSpec.ToEncryptionOptions()
-	require.NoError(t, err)
+	encOpts := &encSpec.Options
 
 	env, err := fs.InitEnv(ctx, vfs.Default, dir, fs.EnvConfig{EncryptionOptions: encOpts}, nil /* statsCollector */)
 	require.NoError(t, err)
@@ -129,8 +128,7 @@ func TestList(t *testing.T) {
 	encSpecStr := fmt.Sprintf("path=%s,key=%s,old-key=plain", dir, keyPath)
 	encSpec, err := storagepb.NewStoreEncryptionSpec(encSpecStr)
 	require.NoError(t, err)
-	encOpts, err := encSpec.ToEncryptionOptions()
-	require.NoError(t, err)
+	encOpts := &encSpec.Options
 	env, err := fs.InitEnv(ctx, vfs.Default, dir, fs.EnvConfig{EncryptionOptions: encOpts}, nil /* statsCollector */)
 	require.NoError(t, err)
 	p, err := storage.Open(ctx, env, cluster.MakeTestingClusterSettings())

pkg/storage/BUILD.bazel

@@ -178,6 +178,7 @@ go_test(
         "//pkg/storage/disk",
         "//pkg/storage/enginepb",
         "//pkg/storage/fs",
+        "//pkg/storage/storagepb",
         "//pkg/testutils",
         "//pkg/testutils/datapathutils",
         "//pkg/testutils/echotest",

pkg/storage/fs/BUILD.bazel

@@ -20,6 +20,7 @@ go_library(
         "//pkg/settings",
         "//pkg/storage/disk",
         "//pkg/storage/enginepb",
+        "//pkg/storage/storagepb",
         "//pkg/util/buildutil",
         "//pkg/util/envutil",
         "//pkg/util/log",

pkg/storage/fs/encryption_at_rest.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/cockroachdb/cockroach/pkg/storage/storagepb"
 	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/pebble/vfs"
 )
@@ -18,16 +19,20 @@ import (
 // and writing data. This should be initialized by calling engineccl.Init() before calling
 // NewPebble(). The optionBytes is a binary serialized storagepb.EncryptionOptions.
 var NewEncryptedEnvFunc func(
-	fs vfs.FS, fr *FileRegistry, dbDir string, readOnly bool, optionBytes []byte,
+	fs vfs.FS, fr *FileRegistry, dbDir string, readOnly bool, encryptionOptions *storagepb.EncryptionOptions,
 ) (*EncryptionEnv, error)
 
 // resolveEncryptedEnvOptions creates the EncryptionEnv and associated file
 // registry if this store has encryption-at-rest enabled; otherwise returns a
 // nil EncryptionEnv.
 func resolveEncryptedEnvOptions(
-	ctx context.Context, unencryptedFS vfs.FS, dir string, encryptionOpts []byte, rw RWMode,
+	ctx context.Context,
+	unencryptedFS vfs.FS,
+	dir string,
+	encryptionOpts *storagepb.EncryptionOptions,
+	rw RWMode,
 ) (*FileRegistry, *EncryptionEnv, error) {
-	if len(encryptionOpts) == 0 {
+	if encryptionOpts == nil {
 		// There's no encryption config. This is valid if the user doesn't
 		// intend to use encryption-at-rest, and the store has never had
 		// encryption-at-rest enabled. Validate that there's no file registry.

pkg/storage/fs/fs.go

@@ -17,6 +17,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/cli/exit"
 	"github.com/cockroachdb/cockroach/pkg/settings"
 	"github.com/cockroachdb/cockroach/pkg/storage/disk"
+	"github.com/cockroachdb/cockroach/pkg/storage/storagepb"
 	"github.com/cockroachdb/cockroach/pkg/util/buildutil"
 	"github.com/cockroachdb/cockroach/pkg/util/envutil"
 	"github.com/cockroachdb/errors"
@@ -121,7 +122,7 @@ func InitEnvFromStoreSpec(
 // EnvConfig provides additional configuration settings for Envs.
 type EnvConfig struct {
 	RW                RWMode
-	EncryptionOptions []byte
+	EncryptionOptions *storagepb.EncryptionOptions
 }
 
 // InitEnv initializes a new virtual filesystem environment.

pkg/storage/min_version_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/storage/fs"
+	"github.com/cockroachdb/cockroach/pkg/storage/storagepb"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/pebble/vfs"
@@ -118,7 +119,7 @@ func TestMinVersion_IsNotEncrypted(t *testing.T) {
 	st := cluster.MakeClusterSettings()
 	baseFS := vfs.NewMem()
 	env, err := fs.InitEnv(ctx, baseFS, "", fs.EnvConfig{
-		EncryptionOptions: []byte("foo"),
+		EncryptionOptions: &storagepb.EncryptionOptions{},
 	}, nil /* statsCollector */)
 	require.NoError(t, err)
 
@@ -136,7 +137,11 @@ func TestMinVersion_IsNotEncrypted(t *testing.T) {
 }
 
 func fauxNewEncryptedEnvFunc(
-	unencryptedFS vfs.FS, fr *fs.FileRegistry, dbDir string, readOnly bool, optionBytes []byte,
+	unencryptedFS vfs.FS,
+	fr *fs.FileRegistry,
+	dbDir string,
+	readOnly bool,
+	_ *storagepb.EncryptionOptions,
 ) (*fs.EncryptionEnv, error) {
 	return &fs.EncryptionEnv{
 		Closer: nopCloser{},

pkg/storage/open.go

@@ -257,11 +257,11 @@ func makeExternalWALDir(
 	// If the store is encrypted, we require that all the WAL failover dirs also
 	// be encrypted so that the user doesn't accidentally leak data unencrypted
 	// onto the filesystem.
-	if engineCfg.env.Encryption != nil && len(externalDir.EncryptionOptions) == 0 {
+	if engineCfg.env.Encryption != nil && externalDir.EncryptionOptions == nil {
 		return wal.Dir{}, errors.Newf("must provide --enterprise-encryption flag for %q, used as WAL failover path for encrypted store %q",
 			externalDir.Path, engineCfg.env.Dir)
 	}
-	if engineCfg.env.Encryption == nil && len(externalDir.EncryptionOptions) != 0 {
+	if engineCfg.env.Encryption == nil && externalDir.EncryptionOptions != nil {
 		return wal.Dir{}, errors.Newf("must provide --enterprise-encryption flag for store %q, specified WAL failover path %q is encrypted",
 			engineCfg.env.Dir, externalDir.Path)
 	}

pkg/storage/open_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/storage/fs"
+	"github.com/cockroachdb/cockroach/pkg/storage/storagepb"
 	"github.com/cockroachdb/cockroach/pkg/testutils/datapathutils"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
@@ -63,7 +64,7 @@ func TestWALFailover(t *testing.T) {
 
 				var envConfig fs.EnvConfig
 				if td.HasArg("encrypted-at-rest") {
-					envConfig.EncryptionOptions = []byte("test-encryption-options")
+					envConfig.EncryptionOptions = &storagepb.EncryptionOptions{}
 				}
 				if td.HasArg("read-only") {
 					envConfig.RW = fs.ReadOnly
@@ -88,10 +89,10 @@ func TestWALFailover(t *testing.T) {
 					}
 				}
 				if td.HasArg("path-encrypted") {
-					cfg.Path.EncryptionOptions = []byte("path-encryption-options")
+					cfg.Path.EncryptionOptions = &storagepb.EncryptionOptions{}
 				}
 				if td.HasArg("prev-path-encrypted") {
-					cfg.PrevPath.EncryptionOptions = []byte("prev-encryption-options")
+					cfg.PrevPath.EncryptionOptions = &storagepb.EncryptionOptions{}
 				}
 				openEnv := getEnv(openDir)
 				if openEnv == nil {

pkg/storage/storagepb/BUILD.bazel

@@ -25,7 +25,6 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli/cliflags",
-        "//pkg/util/protoutil",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_spf13_pflag//:pflag",
     ],