tikv 开启kms静态加密后节点无法启动

🪐 TiDB 技术问题
1

【TiDB 使用环境】测试环境

相关配置

    tikv:
        readpool.coprocessor.use-unified-pool: true
        readpool.storage.use-unified-pool: false
        security.encryption.data-encryption-method: aes128-ctr
        security.encryption.master-key.endpoint: https://kms.ap-east-1.amazonaws.com
        security.encryption.master-key.key-id: cxxxx
        security.encryption.master-key.region: ap-east-1
        security.encryption.master-key.type: kms
        security.encryption.master-key.vendor: aws
    pd:
        replication.location-labels:
            - az
            - rack
            - host
        schedule.leader-schedule-limit: 32
        schedule.region-schedule-limit: 2048
        schedule.replica-schedule-limit: 64
        security.encryption.data-encryption-method: aes128-ctr

相关报错

[2025/10/28 15:54:37.755 +08:00] [INFO] [lib.rs:43] ["Encryption init aws backend"] [vendor=aws] [key_id=c0f49b7a] [endpoint=https://kms.ap-east-1.amazonaws.com] [region=ap-east-1] [thread_id=1]
[2025/10/28 15:54:37.761 +08:00] [INFO] [file_dict_file.rs:143] ["installing new dictionary file"] [new_size=16] [old_size=0] [name=/data1/tidb-data/tikv-20160/file.2216605091375785177.tmp] [thread_id=1]
[2025/10/28 15:54:37.761 +08:00] [INFO] [mod.rs:139] ["encryption: file dict is empty and none of key dictionary are found."] [thread_id=1]
[2025/10/28 15:54:37.761 +08:00] [INFO] [mod.rs:556] ["encryption is being enabled. method = Aes128Ctr"] [thread_id=1]
[2025/10/28 15:54:37.761 +08:00] [INFO] [file_dict_file.rs:143] ["installing new dictionary file"] [new_size=16] [old_size=0] [name=/data1/tidb-data/tikv-20160/file.12333171459221849332.tmp] [thread_id=1]
[2025/10/28 15:54:37.761 +08:00] [INFO] [mod.rs:299] ["encryption: rotate data key."] [key_id=2074131664341] [thread_id=1]
[2025/10/28 16:02:34.457 +08:00] [FATAL] [lib.rs:510] ["Encryption failed to initialize: Cloud KMS error Other error [components/tikv_util/src/stream.rs:187]: request timeout. duration: 10s get data key failed. code: KV:Cloud:Unknown"] [backtrace="   0: tikv_util::set_panic_hook::{{closure}}\n             at /workspace/source/tikv/components/tikv_util/src/lib.rs:509:18\n   1: <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:2032:9\n      std::panicking::rust_panic_with_hook\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:692:13\n   2: std::panicking::begin_panic_handler::{{closure}}\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:579:13\n   3: std::sys_common::backtrace::__rust_end_short_backtrace\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:137:18\n   4: rust_begin_unwind\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:575:5\n   5: core::panicking::panic_fmt\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:65:14\n   6: server::common::TikvServerCore::init_encryption::{{closure}}\n             at /workspace/source/tikv/components/server/src/common.rs:263:13\n      core::result::Result<T,E>::map_err\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:861:27\n      server::common::TikvServerCore::init_encryption\n             at /workspace/source/tikv/components/server/src/common.rs:258:39\n   7: server::server::run_impl\n             at /workspace/source/tikv/components/server/src/server.rs:152:5\n   8: server::server::run_tikv\n             at /workspace/source/tikv/components/server/src/server.rs:222:5\n      tikv_server::main\n             at /workspace/source/tikv/cmd/tikv-server/src/main.rs:225:31\n   9: core::ops::function::FnOnce::call_once\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:513:5\n      std::sys_common::backtrace::__rust_begin_short_backtrace\n             at /root/.rustup/toolchains/nightly-2022-11-15-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:121:18\n  10: main\n  11: __libc_start_main\n  12: <unknown>\n"] [location=components/server/src/common.rs:263] [thread_name=main] [thread_id=1]
2

本地key模式 可以正常使用 排除这个加密模块的问题 可能是kms模块的问题

3

远程地址通的吗

4

都是通的 用了腾讯云的kms也是一样的

5

加密策略是否都已经应用到 tikv呢,分别都检查下各个节点的值

6

都应用了 目前单台调试 并且检查config 已经同步 就卡着了

7

`nslookup kms.ap-east-1.amazonaws.com域名能解析到正确的 AWS KMS 地址吧
KMS 调用超时时间如60秒(request timeout. duration: 10s get data key failed)试下

8

还有别的招数吗大佬 目前还是不行的 固定请求腾讯云的kms也不行

9

加密协议不适配吧

10

先检查是不是缺少了AWS凭据或者权限?