use environment variable and PBKDF to generate main encrypt key (#15711)

* use environment variable and PBKDF to generate main encrypt key

* modify the error information

Author: zhujt20

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBDescriptor.java

@@ -1791,9 +1791,6 @@ private void loadTsFileProps(TrimProperties properties) throws IOException {
     TSFileDescriptor.getInstance()
         .getConfig()
         .setEncryptType(properties.getProperty("encrypt_type", "UNENCRYPTED"));
-    TSFileDescriptor.getInstance()
-        .getConfig()
-        .setEncryptKeyFromPath(properties.getProperty("encrypt_key_path", ""));
   }
 
   // Mqtt related

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/IoTDBStartCheck.java

@@ -29,10 +29,10 @@
 import org.apache.iotdb.db.storageengine.dataregion.wal.utils.WALMode;
 import org.apache.iotdb.db.storageengine.rescon.disk.DirectoryChecker;
 
-import com.google.common.base.Objects;
 import org.apache.commons.io.FileUtils;
-import org.apache.tsfile.common.conf.TSFileConfig;
+import org.apache.tsfile.common.conf.TSFileDescriptor;
 import org.apache.tsfile.encrypt.EncryptUtils;
+import org.apache.tsfile.exception.encrypt.EncryptException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -41,6 +41,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Objects;
 import java.util.Properties;
 import java.util.function.Supplier;
 
@@ -306,11 +307,19 @@ public void serializeClusterID(String clusterId) throws IOException {
   }
 
   public void serializeEncryptMagicString() throws IOException {
+    if (!Objects.equals(TSFileDescriptor.getInstance().getConfig().getEncryptType(), "UNENCRYPTED")
+        && !Objects.equals(
+            TSFileDescriptor.getInstance().getConfig().getEncryptType(),
+            "org.apache.tsfile.encrypt.UNENCRYPTED")) {
+      String token = System.getenv("user_encrypt_token");
+      if (token == null || token.trim().isEmpty()) {
+        throw new EncryptException(
+            "encryptType is not UNENCRYPTED, but user_encrypt_token is not set. Please set it in the environment variable.");
+      }
+    }
     String encryptMagicString =
         EncryptUtils.byteArrayToHexString(
-            EncryptUtils.getEncrypt()
-                .getEncryptor()
-                .encrypt(magicString.getBytes(TSFileConfig.STRING_CHARSET)));
+            TSFileDescriptor.getInstance().getConfig().getEncryptKey());
     systemProperties.put(ENCRYPT_MAGIC_STRING, () -> encryptMagicString);
     generateOrOverwriteSystemPropertiesFile();
   }
@@ -354,15 +363,7 @@ public void checkEncryptMagicString() throws IOException, ConfigurationException
     String encryptMagicString = properties.getProperty("encrypt_magic_string");
     if (encryptMagicString != null) {
       byte[] magicBytes = EncryptUtils.hexStringToByteArray(encryptMagicString);
-      String newMagicString =
-          new String(
-              EncryptUtils.getEncrypt().getDecryptor().decrypt(magicBytes),
-              TSFileConfig.STRING_CHARSET);
-      if (!Objects.equal(magicString, newMagicString)) {
-        logger.error("encrypt_magic_string is not matched");
-        throw new ConfigurationException(
-            "Changing encrypt key for tsfile encryption after first start is not permitted");
-      }
+      TSFileDescriptor.getInstance().getConfig().setEncryptKey(magicBytes);
     }
   }
 }

pom.xml

@@ -175,7 +175,7 @@
         <thrift.version>0.14.1</thrift.version>
         <xz.version>1.9</xz.version>
         <zstd-jni.version>1.5.6-3</zstd-jni.version>
-        <tsfile.version>2.1.0-250521-SNAPSHOT</tsfile.version>
+        <tsfile.version>2.1.0-250612-SNAPSHOT</tsfile.version>
     </properties>
     <!--
     if we claim dependencies in dependencyManagement, then we do not claim