Return-Path: X-Original-To: apmail-accumulo-dev-archive@www.apache.org Delivered-To: apmail-accumulo-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 39F83185B7 for ; Sat, 31 Oct 2015 14:22:27 +0000 (UTC) Received: (qmail 99514 invoked by uid 500); 31 Oct 2015 14:22:22 -0000 Delivered-To: apmail-accumulo-dev-archive@accumulo.apache.org Received: (qmail 99470 invoked by uid 500); 31 Oct 2015 14:22:22 -0000 Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@accumulo.apache.org Delivered-To: mailing list dev@accumulo.apache.org Received: (qmail 99458 invoked by uid 99); 31 Oct 2015 14:22:21 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 31 Oct 2015 14:22:21 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5B981C0DF0 for ; Sat, 31 Oct 2015 14:22:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.98 X-Spam-Level: ** X-Spam-Status: No, score=2.98 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=phemi_com.20150623.gappssmtp.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id xbTZOguqPGkF for ; Sat, 31 Oct 2015 14:22:10 +0000 (UTC) Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com [209.85.214.174]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 89E0A20751 for ; Sat, 31 Oct 2015 14:22:09 +0000 (UTC) Received: by obbwb3 with SMTP id wb3so65370620obb.0 for ; Sat, 31 Oct 2015 07:22:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=phemi_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=wD8+MRM0Tp0x/PN26m09bT5fILOjEAWZMzw5IJ4GTG8=; b=QIjVyrlvIdq5Y5bXydKR+6H8onakqvEFX76uC5xKJDkZDNdXAkdQVxiaEjFD6JbBaX 8dnSman24N30Vg6HXRK+LjiDrmC1kInyZZ95A1rz7vmx3pLSUBic0nZ1KCJvEsx40kN8 595+PYTIByNqWd+lGA8RCs8wSWGZpjisLMyrWgPQ/2td1fyCp8s2a/cg2cUpaA+mJ5Q4 hVludvVmfg4MdjESp5STw+kKVqdZ6jadM/rF0LLr1M5fmd2rW7zG5kUv1KcZv7Dx5WAM iyBkrDp0/C6XdzEOMKOIClyeXhWeDyI0b0CiSOa4SQo48QiORQgBdtw7PUL2vghN5OjR oM+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=wD8+MRM0Tp0x/PN26m09bT5fILOjEAWZMzw5IJ4GTG8=; b=QhX/nL4L1WbmUXKVWvCtrxf179fIIVfB6r6qM7AhTWcDK0MUn+LxYoIyEHiYQVBn7C F5pl/dlESPgXZtLCMyxIzEN+tVr7CuGwFsAgsCw4rdN8L5kCKkxfDf9d4eYH2cXMWXIn bb/TVw09EOWemcdbmzLwj81TRakNpiTZtLil8gKkXZGttlSYY5tu6fzEGOtbLXWI4D3+ NOo2ofCeSA2Ul7GS9aCWREppV+tPJt1kU+hxc9AfXF4zGE2+4kK8vaZbODutcBfphuPT dzQaxRws5ycnPmch62CzU6kqIn3MgL7I8n7vBPAt5yC/YptV1KYSzdvGjnOvja47aSFP 3oNg== X-Gm-Message-State: ALoCoQmTkV3LEBr8ALiJbtnmT7HYUy4lZApoPOFNLjMTklngHqboq0Qvzi2yZ+0j91xUL5LRchkL MIME-Version: 1.0 X-Received: by 10.60.116.39 with SMTP id jt7mr8940541oeb.54.1446301322218; Sat, 31 Oct 2015 07:22:02 -0700 (PDT) Received: by 10.202.180.86 with HTTP; Sat, 31 Oct 2015 07:22:02 -0700 (PDT) In-Reply-To: References: Date: Sat, 31 Oct 2015 16:22:02 +0200 Message-ID: Subject: Re: [DISCUSS] What to do about encryption at rest? From: Josef Roehrl - PHEMI To: dev@accumulo.apache.org Content-Type: multipart/alternative; boundary=089e011616828ca818052367445f --089e011616828ca818052367445f Content-Type: text/plain; charset=UTF-8 For this reason, we were just thinking of waiting for Encryption at Rest with HDFS. Presumably, Accumulo could optimize encryption if it implemented encryption itself with a few trade-offs. On Fri, Oct 30, 2015 at 10:22 PM, William Slacum wrote: > So I've been looking into options for providing encryption at rest, and it > seems like what Accumulo has is abandonware from a project perspective. > There is no official documentation on how to perform encryption at rest, > and the best information from its status comes from year (or greater) old > ticket comments about how the feature is still experimental. Recently there > was a talk that described using HDFS encryption zones as an alternative. > > From my perspective, this is what I see as the current situation: > > 1- Encryption at rest in Accumulo isn't actively being worked on > 2- Encryption at rest in Accumulo isn't part of the public API or marketed > capabilities > 3- Documentation for what does exist is scattered throughout Jira comments > or presentations > 4- A viable alternative exists that appears to have feature parity in HDFS > encryption > 5- HBase has finer grained encryption capabilities that extend beyond what > HDFS provides > > Moving forward, what's the consensus for supporting this feature? > Personally, I see two options: > > 1- Start going down a path to bring the feature into the forefront and > start providing feature parity with HBase > > or > > 2- Remove the feature and place emphasis on upstream encryption offerings > > Any input is welcomed & appreciated! > -- Josef Roehrl Senior Software Developer *PHEMI Systems* 180-887 Great Northern Way Vancouver, BC V5T 4T5 604-336-1119 Website Twitter Linkedin --089e011616828ca818052367445f--