accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mmil...@apache.org
Subject [accumulo-website] branch asf-site updated: Jekyll build from master:2d51393
Date Mon, 01 Oct 2018 21:07:02 GMT
This is an automated email from the ASF dual-hosted git repository.

mmiller pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/accumulo-website.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 06e7cac  Jekyll build from master:2d51393
06e7cac is described below

commit 06e7cac5614e5143daf6f9f449ed644b15ff04f5
Author: Mike Miller <mmiller@apache.org>
AuthorDate: Mon Oct 1 17:04:47 2018 -0400

    Jekyll build from master:2d51393
    
    Add documentation for crypto (#108)
---
 docs/2.0/administration/caching.html               |   2 +
 .../administration/configuration-management.html   |   2 +
 .../{scan-executors.html => crypto.html}           | 195 +++++++++------------
 docs/2.0/administration/fate.html                  |   2 +
 docs/2.0/administration/in-depth-install.html      |   2 +
 docs/2.0/administration/kerberos.html              |   2 +
 docs/2.0/administration/monitoring-metrics.html    |   2 +
 docs/2.0/administration/multivolume.html           |   2 +
 docs/2.0/administration/properties.html            |   2 +
 docs/2.0/administration/replication.html           |   2 +
 docs/2.0/administration/scan-executors.html        |   2 +
 docs/2.0/administration/ssl.html                   |   2 +
 docs/2.0/administration/tracing.html               |   2 +
 docs/2.0/administration/upgrading.html             |   2 +
 docs/2.0/development/client-properties.html        |   2 +
 docs/2.0/development/development_tools.html        |   2 +
 docs/2.0/development/high_speed_ingest.html        |   2 +
 docs/2.0/development/iterators.html                |   2 +
 docs/2.0/development/mapreduce.html                |   2 +
 docs/2.0/development/proxy.html                    |   2 +
 docs/2.0/development/sampling.html                 |   2 +
 docs/2.0/development/security.html                 |   2 +
 docs/2.0/development/summaries.html                |   2 +
 docs/2.0/getting-started/clients.html              |   2 +
 docs/2.0/getting-started/design.html               |   2 +
 docs/2.0/getting-started/quick-install.html        |   2 +
 docs/2.0/getting-started/shell.html                |   2 +
 docs/2.0/getting-started/table_configuration.html  |   2 +
 docs/2.0/getting-started/table_design.html         |   2 +
 docs/2.0/troubleshooting/advanced.html             |   2 +
 docs/2.0/troubleshooting/basic.html                |   2 +
 docs/2.0/troubleshooting/performance.html          |   2 +
 .../troubleshooting/system-metadata-tables.html    |   2 +
 docs/2.0/troubleshooting/tools.html                |   2 +
 feed.xml                                           |   4 +-
 search_data.json                                   |   7 +
 36 files changed, 155 insertions(+), 117 deletions(-)

diff --git a/docs/2.0/administration/caching.html b/docs/2.0/administration/caching.html
index 916c155..93bbe5c 100644
--- a/docs/2.0/administration/caching.html
+++ b/docs/2.0/administration/caching.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/configuration-management.html b/docs/2.0/administration/configuration-management.html
index d0833fa..851ec07 100644
--- a/docs/2.0/administration/configuration-management.html
+++ b/docs/2.0/administration/configuration-management.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/scan-executors.html b/docs/2.0/administration/crypto.html
similarity index 62%
copy from docs/2.0/administration/scan-executors.html
copy to docs/2.0/administration/crypto.html
index 99756b2..a65c6b1 100644
--- a/docs/2.0/administration/scan-executors.html
+++ b/docs/2.0/administration/crypto.html
@@ -25,7 +25,7 @@
 <link rel="stylesheet" type="text/css" href="https://cdn.datatables.net/v/bs/jq-2.2.3/dt-1.10.12/datatables.min.css">
 <link href="/css/accumulo.css" rel="stylesheet" type="text/css">
 
-<title>Accumulo Documentation - Scan Executors</title>
+<title>Accumulo Documentation - On Disk Encryption</title>
 
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
 <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
@@ -330,153 +332,116 @@
   </div>
   <div class="col-md-9">
     
-    <p>Accumulo 2.0 documentation &nbsp;&gt;&gt;&nbsp; Administration &nbsp;&gt;&gt;&nbsp; Scan Executors</p>
+    <p>Accumulo 2.0 documentation &nbsp;&gt;&gt;&nbsp; Administration &nbsp;&gt;&gt;&nbsp; On Disk Encryption</p>
     
 
     <div class="alert alert-danger" style="margin-bottom: 0px;" role="alert">This documentation is for a future release of Accumulo! <a href="/1.9/accumulo_user_manual.html">View documentation for the latest release</a>.</div>
 
     <div class="row">
-      <div class="col-md-10"><h1>Scan Executors</h1></div>
-      <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;" href="https://github.com/apache/accumulo-website/edit/master/_docs-2-0/administration/scan-executors.md" role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this page</small></a></div>
+      <div class="col-md-10"><h1>On Disk Encryption</h1></div>
+      <div class="col-md-2"><a class="pull-right" style="margin-top: 25px;" href="https://github.com/apache/accumulo-website/edit/master/_docs-2-0/administration/crypto.md" role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this page</small></a></div>
     </div>
 
-    <p>Accumulo scans operate by repeatedly fetching batches of data from a <a href="/docs/2.0/getting-started/design#tablet-server-1">tablet
-server</a>.  On the tablet server side, a thread pool fetches batches.
-In Java threads pools are called executors.  By default, a single executor per
-tablet server handles all scans in FIFO order.  For some workloads, the single
-FIFO executor is suboptimal.  For example, consider many unimportant scans
-reading lots of data mixed with a few important scans reading small amounts of
-data.  The long scans noticeably increase the latency of the short scans.
-Accumulo offers two mechanisms to help improve situations like this: multiple
-scan executors and per executor prioritizers.  Additional scan executors can
-give tables dedicated resources.  For each scan executor, an optional
-prioritizer can reorder queued work.</p>
-
-<h3 id="configuring-and-using-scan-executors">Configuring and using Scan Executors</h3>
-
-<p>By default, Accumulo sets <code class="highlighter-rouge">tserver.scan.executors.default.threads=16</code> which
-creates the default scan executor.  To configure additional scan executors,
-chose a unique name and configure <a href="/docs/2.0/administration/properties#tserver_scan_executors_prefix">tserver.scan.executors.*</a>.  Setting
-the following causes each tablet server to create a scan executor with the
-specified threads.</p>
-
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tserver.scan.executors.&lt;name&gt;.threads=&lt;number&gt;
-</code></pre></div></div>
+    <p>For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
+for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: <a href="/docs/2.0/getting-started/design#rfile">RFiles</a> and Write Ahead Logs (WALs).
+For information on encrypting data over the wire see the section on <a href="/docs/2.0/administration/ssl">SSL</a>.  For information on cryptographic client-server authentication see the section on <a href="/docs/2.0/administration/kerberos">Kerberos</a>.</p>
 
-<p>Optionally, some of the following can be set.  The <code class="highlighter-rouge">priority</code> setting
-determines thread priority.  The <code class="highlighter-rouge">prioritizer</code> settings specifies a class that
-orders pending work.</p>
+<h2 id="configuration">Configuration</h2>
 
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tserver.scan.executors.&lt;name&gt;.priority=&lt;number 1 to 10&gt;
-tserver.scan.executors.&lt;name&gt;.prioritizer=&lt;class name&gt;
-tserver.scan.executors.&lt;name&gt;.prioritizer.opts.&lt;key&gt;=&lt;value&gt;
+<p>To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
+encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
+(root and metadata tables will not be encrypted in this case) and existing data won’t be encrypted until compaction.  To configure on disk encryption, add the 
+<a href="/docs/2.0/administration/properties#instance_crypto_service">instance.crypto.service</a> property to your <code class="highlighter-rouge">accumulo.properties</code> file.  The value of this property is the
+class name of the service which will perform crypto on RFiles and WALs.</p>
+<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
 </code></pre></div></div>
-
-<p>After creating an executor, configure <a href="/docs/2.0/administration/properties#table_scan_dispatcher">table.scan.dispatcher</a> to use it.  A
-dispatcher is Java subclass of <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/scan/ScanDispatcher.html">ScanDispatcher</a>
-that decides which scan executor should service a table.  Set the following table
-property to configure a dispatcher.</p>
-
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>table.scan.dispatcher=&lt;class name&gt;
+<p>Out of the box, Accumulo provides the <code class="highlighter-rouge">AESCryptoService</code> for basic encryption needs.  This class provides AES encryption 
+with Galois/Counter Mode (GCM) for RFiles and Cipher Block Chaining (CBC) mode for WALs.  The additional properties 
+below are required by this crypto service to be set using the <a href="/docs/2.0/administration/properties#instance_crypto_opts_prefix">instance.crypto.opts.*</a> prefix.</p>
+<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>instance.crypto.opts.key.provider=uri
+instance.crypto.opts.key.location=file:///secure/path/to/crypto-key-file
 </code></pre></div></div>
+<p>The first property tells the crypto service how it will get the key encryption key.  The second property tells the service 
+where to find the key.  For now, the only valid values are “uri” and the path to the key file. The key file can be 16 or 32 bytes. 
+For example, openssl can be used to create a random 32 byte key:</p>
+<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl rand -out /path/to/keyfile 32
+</code></pre></div></div>
+<p>Initializing Accumulo after these instance properties are set, will enable on disk encryption across your entire cluster.</p>
 
-<p>Scan dispatcher options can be set with properties like the following.</p>
+<h2 id="custom-crypto">Custom Crypto</h2>
 
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>table.scan.dispatcher.opts.&lt;key&gt;=&lt;value&gt;
+<p>The new crypto interface for 2.0 allows for easier custom implementation of encryption and decryption. Your
+class only has to implement the <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/crypto/CryptoService.html">CryptoService</a> interface to work with Accumulo.
+The interface has 3 methods:</p>
+<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code>  <span class="kt">void</span> <span class="nf">init</span><span class="o">(</span><span class="n">Map</span><span class="o">&lt;</span><span class="n">String</span><span class="o">,</span><span class="n">String</span><span class="o">&gt;</span> <span class="n">conf</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">CryptoException</span><span class="o">;</span>
+  <span class="n">FileEncrypter</span> <span class="nf">getFileEncrypter</span><span class="o">(</span><span class="n">CryptoEnvironment</span> <span class="n">environment</span><span class="o">);</span>
+  <span class="n">FileDecrypter</span> <span class="nf">getFileDecrypter</span><span class="o">(</span><span class="n">CryptoEnvironment</span> <span class="n">environment</span><span class="o">);</span>
 </code></pre></div></div>
-
-<p>The default value for <code class="highlighter-rouge">table.scan.dispatcher</code> is <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/scan/SimpleScanDispatcher.html">SimpleScanDispatcher</a>.
-SimpleScanDispatcher supports an <code class="highlighter-rouge">executor</code> option for choosing a scan
-executor.  If this option is not set, then SimpleScanDispatcher will dispatch
-to the scan executor named <code class="highlighter-rouge">default</code>.</p>
-
-<p>To to tie everything together, consider the following use case.</p>
-
-<ul>
-  <li>Create tables named LOW1 and LOW2 using a scan executor with a single thread.</li>
-  <li>Create a table named HIGH with a dedicated scan executor with 8 threads.</li>
-  <li>Create tables named NORM1 and NORM2 using the default scan executor.</li>
-  <li>Set the default executor to 4 threads.</li>
-</ul>
-
-<p>The following shell commands implement this use case.</p>
-
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>createtable LOW1
-createtable LOW2
-createtable HIGH
-createtable NORM1
-createtable NORM2
-config -s tserver.scan.executors.default.threads=4
-config -s tserver.scan.executors.low.threads=1
-config -s tserver.scan.executors.high.threads=8
+<p>The <code class="highlighter-rouge">init</code> method is where you will initialize any resources required for crypto and will get called once per Tablet Server.
+The <code class="highlighter-rouge">getFileEncrypter</code> method requires implementation of a <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/crypto/FileEncrypter.html">FileEncrypter</a> 
+for encryption and the <code class="highlighter-rouge">getFileDecrypter</code> method requires implementation of a <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/crypto/FileDecrypter.html">FileDecrypter</a> 
+for decryption. The <code class="highlighter-rouge">CryptoEnvironment</code> passed into these methods will provide the scope of the crypto. 
+The FileEncrypter has two methods:</p>
+<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code>  <span class="n">OutputStream</span> <span class="nf">encryptStream</span><span class="o">(</span><span class="n">OutputStream</span> <span class="n">outputStream</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">CryptoService</span><span class="o">.</span><span class="na">CryptoException</span><span class="o">;</span>
+  <span class="kt">byte</span><span class="o">[]</span> <span class="nf">getDecryptionParameters</span><span class="o">();</span>
+</code></pre></div></div>
+<p>The <code class="highlighter-rouge">encryptStream</code> method performs the encryption on the provided OutputStream and returns an OutputStream, most likely 
+wrapped in at least one other OutputStream.  The <code class="highlighter-rouge">getDecryptionParameters</code> returns a byte array of anything that will be 
+required to perform decryption. The FileDecrypter only has one method:</p>
+<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code>  <span class="n">InputStream</span> <span class="nf">decryptStream</span><span class="o">(</span><span class="n">InputStream</span> <span class="n">inputStream</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">CryptoService</span><span class="o">.</span><span class="na">CryptoException</span><span class="o">;</span>
 </code></pre></div></div>
+<p>For more help getting started see <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/security/crypto/impl/AESCryptoService.html">AESCryptoService</a>.</p>
 
-<p>Tablet servers should be restarted after configuring scan executors, then tables can be configured.</p>
+<h2 id="things-to-keep-in-mind">Things to keep in mind</h2>
 
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>config -t LOW1 -s table.scan.dispatcher=org.apache.accumulo.core.spi.scan.SimpleScanDispatcher
-config -t LOW1 -s table.scan.dispatcher.opts.executor=low
-config -t LOW2 -s table.scan.dispatcher=org.apache.accumulo.core.spi.scan.SimpleScanDispatcher
-config -t LOW2 -s table.scan.dispatcher.opts.executor=low
-config -t HIGH -s table.scan.dispatcher=org.apache.accumulo.core.spi.scan.SimpleScanDispatcher
-config -t HIGH -s table.scan.dispatcher.opts.executor=high
-</code></pre></div></div>
+<p>The on disk encryption configured here is only for RFiles and Write Ahead Logs (WALs).  The majority of data in Accumulo
+is written to disk with these files but there are a few scenarios that can take place where data will be unencrypted, 
+even with the crypto service enabled.</p>
 
-<p>While not necessary because its the default, it is safer to also set
-<code class="highlighter-rouge">table.scan.dispatcher=org.apache.accumulo.core.spi.scan.SimpleScanDispatcher</code>
-for each table.  This ensures things work as expected in the case where
-<code class="highlighter-rouge">table.scan.dispatcher</code> was set at the system or namespace level.</p>
+<h3 id="sorted-wals">Sorted WALs</h3>
 
-<h3 id="configuring-and-using-scan-prioritizers">Configuring and using Scan Prioritizers.</h3>
+<p>If a tablet server is killed with WALs enabled, Accumulo will create temporary sorted WALs during recovery that are unencrypted.<br />
+These files will only contain recent data that has not been compacted but will be written to the disk unencrypted. Once recovery 
+is finished, these unencrypted files will be removed.</p>
 
-<p>When all scan executor threads are busy, incoming work is queued.  By
-default this queue has a FIFO order.  A <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/scan/ScanPrioritizer.html">ScanPrioritizer</a> can be configured to
-reorder the queue.  Accumulo ships with the <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/scan/IdleRatioScanPrioritizer.html">IdleRatioScanPrioritizer</a> which
-orders the queue by the ratio of run time to idle time.  For example, a scan
-with a run time of 50ms and an idle time of 200ms would have a ratio of .25.
-If .25 were the lowest ratio on the queue, then it would be the next in line.
-The following configures the IdleRatioScanPrioritizer for the <code class="highlighter-rouge">default</code> scan
-executor.</p>
+<h3 id="data-in-memory--logs">Data in Memory &amp; Logs</h3>
 
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tserver.scan.executors.default.prioritizer=org.apache.accumulo.core.spi.scan.IdleRatioScanPrioritizer
-</code></pre></div></div>
+<p>For queries, data is decrypted when read from RFiles and cached in memory.  This means that data is unencrypted in memory 
+while Accumulo is running.  Depending on the situation, this also means that some data can be printed to logs. A stacktrace being logged 
+during an exception is one example. Accumulo developers have made sure not to expose data protected by authorizations during logging but 
+its the additional data that gets encrypted on disk that could be exposed in a log file.</p>
 
-<p>Using the IdleRatioScanPrioritizer in a test with 50 long running scans and 5
-threads repeatedly doing small random lookups made a significant difference.
-In this test the average lookup time for the 5 threads went from 250ms to 5 ms.</p>
+<h3 id="bulk-import">Bulk Import</h3>
 
-<h3 id="providing-hints-from-the-client-side">Providing hints from the client side.</h3>
+<p>There are 2 ways to create RFiles for bulk ingest: with the <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/client/rfile/RFile.html">RFile API</a> and during Map Reduce using <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-client-mapreduce/1.9.2/org/apache/accumulo/core/client/mapred/AccumuloOutputFormat.html">AccumuloOutputFormat</a>.<br />
+The <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/client/rfile/RFile.html">RFile API</a> allows passing in the configuration properties for encryption mentioned above.  The <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-client-mapreduce/1.9.2/org/apache/accumulo/core/client/mapred/AccumuloOutputFormat.html">AccumuloOutputFormat</a> does 
+not allow for encryption of RFiles so any data bulk imported through this process will be unencrypted.</p>
 
-<p>Scanners can provide hints to ScanDispatchers and ScanPriotizers by calling
-<a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/client/ScannerBase.html#setExecutionHints-java.util.Map-">setExecutionHints</a> on the Scanner.  What, if anything, is done with these
-hints depends on what is configured for the table and system.  Accumulo’s
-default configuration ignores hints. The following shell commands make it
-possible to choose an executor and set priorities from a scanner for the
-table <code class="highlighter-rouge">tex</code>.</p>
+<h3 id="zookeeper">Zookeeper</h3>
 
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>config -s tserver.scan.executors.special.threads=8
-config -s tserver.scan.executors.special.prioritizer=org.apache.accumulo.core.spi.scan.HintScanPrioritizer
-createtable tex
-config -t tex -s table.scan.dispatcher=org.apache.accumulo.core.spi.scan.SimpleScanDispatcher
-config -t tex -s table.scan.dispatcher.opts.heed_hints=true
-</code></pre></div></div>
+<p>Accumulo stores a lot of metadata about the cluster in Zookeeper.  Keep in mind that this metadata does not get encrypted with On Disk encryption enabled.</p>
 
-<p>The <a href="https://static.javadoc.io/org.apache.accumulo/accumulo-core/1.9.2/org/apache/accumulo/core/spi/scan/HintScanPrioritizer.html">HintScanPrioritizer</a> honors
-hints of the form <code class="highlighter-rouge">priority=&lt;integer&gt;</code> to prioritize scans, with lower integers
-resulting in a higher priority. The <code class="highlighter-rouge">SimpleScanDispatcher</code>, which is the
-default dispatcher, supports the <code class="highlighter-rouge">heed_hints</code> option. By default the
-<code class="highlighter-rouge">SimpleScanDispatcher</code> ignores hints, but when <code class="highlighter-rouge">heed_hints</code> is set to <code class="highlighter-rouge">true</code> it
-will honor hints of the form <code class="highlighter-rouge">executor=&lt;executor name&gt;</code> when choosing an
-executor. After restarting tservers, the following command will start a scan
-that uses the executor <code class="highlighter-rouge">special</code> with a priority of 3.</p>
+<h2 id="gcm-performance">GCM performance</h2>
 
-<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>scan -t tex --execution-hints priority=3,executor=special
+<p>The AESCryptoService uses GCM mode for RFiles. <a href="http://openjdk.java.net/jeps/246">Java 9 introduced GHASH hardware support used by GCM.</a></p>
+
+<p>A test was performed on a VM with 4 2.3GHz processors and 16GB of RAM. The test encrypted and decrypted arrays of size 131072 bytes 1000000 times. The results are as follows:</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Java 9 GCM times:
+    Time spent encrypting:        209.210s
+    Time spent decrypting:        276.800s
+Java 8 GCM times:
+    Time spent encrypting:        2,818.440s
+    Time spent decrypting:        2,883.960s
 </code></pre></div></div>
 
+<p>As you can see, there is a significant performance hit when running without the GHASH CPU instruction. It is advised Java 9 or later be used when enabling encryption.</p>
+
 
 
     <div class="row" style="margin-top: 20px;">
       <div class="col-md-10"><strong>Find documentation for all releases in the <a href="/docs-archive">archive</strong></div>
-      <div class="col-md-2"><a class="pull-right" href="https://github.com/apache/accumulo-website/edit/master/_docs-2-0/administration/scan-executors.md" role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this page</small></a></div>
+      <div class="col-md-2"><a class="pull-right" href="https://github.com/apache/accumulo-website/edit/master/_docs-2-0/administration/crypto.md" role="button"><i class="glyphicon glyphicon-pencil"></i> <small>Edit this page</small></a></div>
     </div>  
   </div>
 </div>
diff --git a/docs/2.0/administration/fate.html b/docs/2.0/administration/fate.html
index 38c64f8..b6b0d18 100644
--- a/docs/2.0/administration/fate.html
+++ b/docs/2.0/administration/fate.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/in-depth-install.html b/docs/2.0/administration/in-depth-install.html
index 1af0d54..d3de313 100644
--- a/docs/2.0/administration/in-depth-install.html
+++ b/docs/2.0/administration/in-depth-install.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/kerberos.html b/docs/2.0/administration/kerberos.html
index cbfb828..f192dd3 100644
--- a/docs/2.0/administration/kerberos.html
+++ b/docs/2.0/administration/kerberos.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/monitoring-metrics.html b/docs/2.0/administration/monitoring-metrics.html
index 3dd2b3c..6422f71 100644
--- a/docs/2.0/administration/monitoring-metrics.html
+++ b/docs/2.0/administration/monitoring-metrics.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/multivolume.html b/docs/2.0/administration/multivolume.html
index 4b18b74..953523e 100644
--- a/docs/2.0/administration/multivolume.html
+++ b/docs/2.0/administration/multivolume.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/properties.html b/docs/2.0/administration/properties.html
index 9601d3c..4f5a68f 100644
--- a/docs/2.0/administration/properties.html
+++ b/docs/2.0/administration/properties.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/replication.html b/docs/2.0/administration/replication.html
index c4e7180..81144ea 100644
--- a/docs/2.0/administration/replication.html
+++ b/docs/2.0/administration/replication.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/scan-executors.html b/docs/2.0/administration/scan-executors.html
index 99756b2..9637d67 100644
--- a/docs/2.0/administration/scan-executors.html
+++ b/docs/2.0/administration/scan-executors.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/ssl.html b/docs/2.0/administration/ssl.html
index 678fba9..12db0d0 100644
--- a/docs/2.0/administration/ssl.html
+++ b/docs/2.0/administration/ssl.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/tracing.html b/docs/2.0/administration/tracing.html
index 0979d41..e51d32c 100644
--- a/docs/2.0/administration/tracing.html
+++ b/docs/2.0/administration/tracing.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/administration/upgrading.html b/docs/2.0/administration/upgrading.html
index 3a9824a..023de02 100644
--- a/docs/2.0/administration/upgrading.html
+++ b/docs/2.0/administration/upgrading.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/client-properties.html b/docs/2.0/development/client-properties.html
index 4ece3b4..8197d44 100644
--- a/docs/2.0/development/client-properties.html
+++ b/docs/2.0/development/client-properties.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/development_tools.html b/docs/2.0/development/development_tools.html
index b156502..04cde14 100644
--- a/docs/2.0/development/development_tools.html
+++ b/docs/2.0/development/development_tools.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/high_speed_ingest.html b/docs/2.0/development/high_speed_ingest.html
index 0baedb3..ee9adf4 100644
--- a/docs/2.0/development/high_speed_ingest.html
+++ b/docs/2.0/development/high_speed_ingest.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/iterators.html b/docs/2.0/development/iterators.html
index a26bf2c..2e39be9 100644
--- a/docs/2.0/development/iterators.html
+++ b/docs/2.0/development/iterators.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/mapreduce.html b/docs/2.0/development/mapreduce.html
index ba8f2db..53d49ce 100644
--- a/docs/2.0/development/mapreduce.html
+++ b/docs/2.0/development/mapreduce.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/proxy.html b/docs/2.0/development/proxy.html
index 4e5f405..d4b0223 100644
--- a/docs/2.0/development/proxy.html
+++ b/docs/2.0/development/proxy.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/sampling.html b/docs/2.0/development/sampling.html
index ea48e51..4b83ba0 100644
--- a/docs/2.0/development/sampling.html
+++ b/docs/2.0/development/sampling.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/security.html b/docs/2.0/development/security.html
index 0ca3a16..f9ef9b8 100644
--- a/docs/2.0/development/security.html
+++ b/docs/2.0/development/security.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/development/summaries.html b/docs/2.0/development/summaries.html
index 4446264..c7a73b7 100644
--- a/docs/2.0/development/summaries.html
+++ b/docs/2.0/development/summaries.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/getting-started/clients.html b/docs/2.0/getting-started/clients.html
index 7c1958b..d34eec9 100644
--- a/docs/2.0/getting-started/clients.html
+++ b/docs/2.0/getting-started/clients.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/getting-started/design.html b/docs/2.0/getting-started/design.html
index 0ecbfff..d53aa0f 100644
--- a/docs/2.0/getting-started/design.html
+++ b/docs/2.0/getting-started/design.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/getting-started/quick-install.html b/docs/2.0/getting-started/quick-install.html
index 40881f6..a42e284 100644
--- a/docs/2.0/getting-started/quick-install.html
+++ b/docs/2.0/getting-started/quick-install.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/getting-started/shell.html b/docs/2.0/getting-started/shell.html
index 6c9147e..b68fa06 100644
--- a/docs/2.0/getting-started/shell.html
+++ b/docs/2.0/getting-started/shell.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/getting-started/table_configuration.html b/docs/2.0/getting-started/table_configuration.html
index 33798ea..4192d56 100644
--- a/docs/2.0/getting-started/table_configuration.html
+++ b/docs/2.0/getting-started/table_configuration.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/getting-started/table_design.html b/docs/2.0/getting-started/table_design.html
index 88a4f50..38b1b6b 100644
--- a/docs/2.0/getting-started/table_design.html
+++ b/docs/2.0/getting-started/table_design.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/troubleshooting/advanced.html b/docs/2.0/troubleshooting/advanced.html
index f696619..5df6046 100644
--- a/docs/2.0/troubleshooting/advanced.html
+++ b/docs/2.0/troubleshooting/advanced.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/troubleshooting/basic.html b/docs/2.0/troubleshooting/basic.html
index 3fc1e62..38897a1 100644
--- a/docs/2.0/troubleshooting/basic.html
+++ b/docs/2.0/troubleshooting/basic.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/troubleshooting/performance.html b/docs/2.0/troubleshooting/performance.html
index 815d95b..e9f3c3e 100644
--- a/docs/2.0/troubleshooting/performance.html
+++ b/docs/2.0/troubleshooting/performance.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/troubleshooting/system-metadata-tables.html b/docs/2.0/troubleshooting/system-metadata-tables.html
index da19509..689cad6 100644
--- a/docs/2.0/troubleshooting/system-metadata-tables.html
+++ b/docs/2.0/troubleshooting/system-metadata-tables.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/docs/2.0/troubleshooting/tools.html b/docs/2.0/troubleshooting/tools.html
index 03d8155..e3ed9d6 100644
--- a/docs/2.0/troubleshooting/tools.html
+++ b/docs/2.0/troubleshooting/tools.html
@@ -276,6 +276,8 @@
                 
                 <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/scan-executors">Scan Executors</a></div>
                 
+                <div class="row doc-sidebar-link"><a href="/docs/2.0/administration/crypto">On Disk Encryption</a></div>
+                
               </div>
             </div>
           
diff --git a/feed.xml b/feed.xml
index 4d42e68..565975e 100644
--- a/feed.xml
+++ b/feed.xml
@@ -6,8 +6,8 @@
 </description>
     <link>https://accumulo.apache.org/</link>
     <atom:link href="https://accumulo.apache.org/feed.xml" rel="self" type="application/rss+xml"/>
-    <pubDate>Mon, 01 Oct 2018 15:22:30 -0400</pubDate>
-    <lastBuildDate>Mon, 01 Oct 2018 15:22:30 -0400</lastBuildDate>
+    <pubDate>Mon, 01 Oct 2018 17:04:41 -0400</pubDate>
+    <lastBuildDate>Mon, 01 Oct 2018 17:04:41 -0400</lastBuildDate>
     <generator>Jekyll v3.7.3</generator>
     
     
diff --git a/search_data.json b/search_data.json
index 931dabd..f0c2645 100644
--- a/search_data.json
+++ b/search_data.json
@@ -14,6 +14,13 @@
       "categories": "administration"
     },
   
+    "docs-2-0-administration-crypto": {
+      "title": "On Disk Encryption",
+      "content"	 : "For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: RFiles and Write Ahead Logs (WALs).For information on encrypting data over the wire see the section on SSL.  For information on cryptographic client-server authentication see the section on Kerberos.ConfigurationTo encrypt all tables on disk, encryption must be [...]
+      "url": " /docs/2.0/administration/crypto",
+      "categories": "administration"
+    },
+  
     "docs-2-0-administration-fate": {
       "title": "FATE",
       "content"	 : "Accumulo must implement a number of distributed, multi-step operations to supportthe client API. Creating a new table is a simple example of an atomic client callwhich requires multiple steps in the implementation: get a unique table ID, configuredefault table permissions, populate information in ZooKeeper to record the table’sexistence, create directories in HDFS for the table’s data, etc. Implementing thesesteps in a way that is tolerant to node failure and other co [...]


Mime
View raw message