Return-Path: X-Original-To: apmail-accumulo-dev-archive@www.apache.org Delivered-To: apmail-accumulo-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D973618596 for ; Mon, 2 Nov 2015 18:37:34 +0000 (UTC) Received: (qmail 78316 invoked by uid 500); 2 Nov 2015 18:37:34 -0000 Delivered-To: apmail-accumulo-dev-archive@accumulo.apache.org Received: (qmail 78263 invoked by uid 500); 2 Nov 2015 18:37:34 -0000 Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@accumulo.apache.org Delivered-To: mailing list dev@accumulo.apache.org Received: (qmail 78251 invoked by uid 99); 2 Nov 2015 18:37:34 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Nov 2015 18:37:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id DE4B9C0F88 for ; Mon, 2 Nov 2015 18:37:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.98 X-Spam-Level: ** X-Spam-Status: No, score=2.98 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=deenlo_com.20150623.gappssmtp.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id yzkbN1QGVpSx for ; Mon, 2 Nov 2015 18:37:30 +0000 (UTC) Received: from mail-oi0-f68.google.com (mail-oi0-f68.google.com [209.85.218.68]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 555B242AB6 for ; Mon, 2 Nov 2015 18:37:30 +0000 (UTC) Received: by oiaw3 with SMTP id w3so8779766oia.1 for ; Mon, 02 Nov 2015 10:37:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deenlo_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=9KNvon1AqrJBbNbiOYXxaVGIaQvkSV8C7HRCitkZUgo=; b=w+f0QsNQLe4mFL5Fcnu429+rimQF32Mvgkm4W4nItNjbH1E+peDklbHELslXg2h8Gz heyAXsT51+o+9HUi9Pe9mdufWrXiSGAUyBABzGBbdFcXQ/5f8y0hwv6tRmVpUCUbqPdp l/eO3PSTjGI6Gz0GrqmfzeEVB6p1rqbTiIaC+wtWmR5SkHkhsItvkiBTwgKWQrAypa8h 8+QsGyMQiqcZ4/qSBIB8sIbqSLCCguroVu7OVZcaHqdt08DrLdDGk4HVZxffdzBP/4iH +Uk6979DtOptyM1CB72n5eHIcqopxxc0SrXcfuFHrjBARipNycYiySyNlE0/wks3WRnj jl1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=9KNvon1AqrJBbNbiOYXxaVGIaQvkSV8C7HRCitkZUgo=; b=lu1qWx0+rsfNEf41MKhVDUDsnB7ZokkgERJVEdnXHwfr/elU8xwHF/8JOfzyU6ItF+ hqIu9ZKNJluJYhVAJjKEVIKvk49ksKAZA2U7+gWZXSHOa7ZLBqUTONE7fO8KDkC5BH4b qlKUg85/XTdpf8bQIHKf9+bSWlRqkrvZNFdswVAxSB+2cubT6f17NVUWo+u8OR7/4vbV hePETj1dCINH7pNq0YgMbls0T8QmMJSY/aHijG+Vco8rarKmvF5fjzT7Qh+KAcu+MUgF 2Z7TTyCd5TYQZpNUKJEr6RYui6vQNMgjvW28ORPe84uEXjHNX6h5r7+AB4TnNKyziIaZ d06w== X-Gm-Message-State: ALoCoQmOOO+4eAa+9pcIFJnia1cJKzxMnHmY6cNetpOW1PcL8D6hayYWXw7moSITpNU6Mrz+d/QS MIME-Version: 1.0 X-Received: by 10.202.183.137 with SMTP id h131mr13373176oif.58.1446489444348; Mon, 02 Nov 2015 10:37:24 -0800 (PST) Received: by 10.202.71.72 with HTTP; Mon, 2 Nov 2015 10:37:24 -0800 (PST) In-Reply-To: References: Date: Mon, 2 Nov 2015 13:37:24 -0500 Message-ID: Subject: Re: [DISCUSS] What to do about encryption at rest? From: Keith Turner To: Accumulo Dev List Content-Type: multipart/alternative; boundary=001a113ce054808d9a052393119c --001a113ce054808d9a052393119c Content-Type: text/plain; charset=UTF-8 On Mon, Nov 2, 2015 at 12:27 PM, William Slacum wrote: > Is "the code being 'at rest'" you making a funny about active development? > Making sure I haven't lost my ability to get jokes :) > > I see two reasons why the code would be inactive: the feature is good > enough as is or it's not interesting enough to attract attention. > Considering it's not public API, there are no discussions to bring into the > public API, and there's no effort to document how to use it, my intuition > tells me that there isn't enough interest in it from a project perspective. > > From a user perspective, I've been getting asked about it when I work with > Accumulo users. My recommendation, exclusively, is to use HDFS encryption > because I can go to Hadoop's website and find documentation on it. When I > go to find documentation on Accumulo's offerings, any usability information > comes from vendor SlideShares. Most mentions of the feature on official > Apache Accumulo channels echo Christopher's sentiments on the feature being > experimental and not being officially recommended for use. > > I wouldn't want to rip out the feature first and then figure things out > later. Sean already alluded to it, but a roadmap should contain something > (tool or documentation) to help users migrate if we go down that route. > > What I'm trying to figure out is, when the question of "How do I do > encryption at rest in Accumulo?" comes up, what is our community's answer? > > If we went down the route of using HDFS encryption zones, can we offer the > same features? At the very least, we'd be offering the same database-level > Where does the decryption happen with DFS, is it in the DFS client? If so, using HDFS level encryption seems to offer the same functionality??? Has anyone written a tool that takes an Accumulo-encrypted-HDFS-unencrypted-RFile and rewrites it is as an Accumulo-unencrypted-HDFS-encrypted-RFile? Wondering if there are any unexpected gotchas w/ this. > encryption scheme. I don't know the details of "more advanced key stores", > but it seems like we could potentially take any custom implementation and > map it to a KeyProvider [1]. I could also envision table level encryption > being implementable via zones, but probably not down to the column family > level. > > [1] > > https://hadoop.apache.org/docs/r2.6.0/api/org/apache/hadoop/crypto/key/KeyProvider.html > > > On Sun, Nov 1, 2015 at 10:19 AM, Adam Fuchs wrote: > > > Responses inline. > > > > Adam > > > > On Nov 1, 2015 9:58 AM, "Christopher" wrote: > > > > > > 1. I'm not sure I'd call an incomplete solution 'great'. What it does > is > > > provide partial encryption-at-rest protection (unless you're running > > > without walogs, and have good integration with some external secure key > > > management faculty, and then it's probably fine). > > > > The only thing that doesn't get encrypted is a temporary WAL recovery > file. > > That is a project we should take on, but it does not imply that the > > existing features are not valuable. With HDFS encryption options this > would > > now be a much easier project to take on. Also, the users I know that use > > encryption at rest do so with a more secure key store than the default. > > > > > > > > 2. I'm concerned that anybody using Accumulo's E-A-R don't necessarily > > > realize its current shortcomings, or its lack of upstream maintenance > > > support (which it has not been receiving). It may be the case that > these > > > users have support from an intermediary, and do understand the > > > shortcomings... I don't know, but it's a concern. > > > > Anybody that creates a secure system has to analyze the security of the > > system as a whole. Accumulo's encryption at rest is one part of the > > solution. Taking away the tool without providing an alternative does > > nothing to improve the security of systems built on Accumulo. > > > > > > > > 3. Correction: it has been an explicitly experimental feature and an > > > incomplete one, which hasn't really been touched in two years, and has > > been > > > explicitly excluded by the community for being public API because of > its > > > incompleteness. Age doesn't determine public API status. The community > > does. > > > > People are using it, so we have to consider the implications of whatever > > changes we make and weigh against the benefits. I believe the last bug > fix > > was done this year, so I would argue it is being maintained. Changes to > our > > encryption at rest implementation will have consequences for those users. > > There had better be a clear benefit if we break their systems. > > > > > > > > 4. Has Accumulo's been evaluated for security and performance? By whom? > > Is > > > it published? > > > > Yes, there have been several talks at meetups and conferences that > discuss > > the security and performance of the current solution. > > > > > > > > On Sun, Nov 1, 2015, 08:55 Adam Fuchs wrote: > > > > > > > There's another way to look at the state of Accumulo's encryption at > > rest: > > > > 1. Encryption at rest works great for what it does, and the code > being > > "at > > > > rest" isn't necessarily a problem > > > > 2. Several organizations are using Accumulo's encryption at rest > > > > effectively in operations > > > > 3. Encryption at rest has been a supported configuration option for > > over > > > > two years with established plugin interfaces, and therefore it should > > be > > > > considered part of the public API > > > > 4. Upstream alternatives (to my knowledge) have not been analyzed for > > > > performance or security > > > > > > > > The given option #2 would at least require an analysis of > alternatives, > > and > > > > we would have to decide what to do about backwards compatibility for > > users > > > > using custom key stores and encryption strategies that may or may not > > be > > > > supported by upstream alternatives. > > > > > > > > As far as option #1 goes, I can get behind encouraging people to take > > up > > > > projects to improve Accumulo's encryption. I think we're already > going > > down > > > > this path, but without having identified resources to do the > > improvements. > > > > Any volunteers? > > > > > > > > Adam > > > > > > > > > > > > On Fri, Oct 30, 2015 at 4:22 PM, William Slacum > > wrote: > > > > > > > > > So I've been looking into options for providing encryption at rest, > > and > > > > it > > > > > seems like what Accumulo has is abandonware from a project > > perspective. > > > > > There is no official documentation on how to perform encryption at > > rest, > > > > > and the best information from its status comes from year (or > greater) > > old > > > > > ticket comments about how the feature is still experimental. > Recently > > > > there > > > > > was a talk that described using HDFS encryption zones as an > > alternative. > > > > > > > > > > From my perspective, this is what I see as the current situation: > > > > > > > > > > 1- Encryption at rest in Accumulo isn't actively being worked on > > > > > 2- Encryption at rest in Accumulo isn't part of the public API or > > > > marketed > > > > > capabilities > > > > > 3- Documentation for what does exist is scattered throughout Jira > > > > comments > > > > > or presentations > > > > > 4- A viable alternative exists that appears to have feature parity > in > > > > HDFS > > > > > encryption > > > > > 5- HBase has finer grained encryption capabilities that extend > beyond > > > > what > > > > > HDFS provides > > > > > > > > > > Moving forward, what's the consensus for supporting this feature? > > > > > Personally, I see two options: > > > > > > > > > > 1- Start going down a path to bring the feature into the forefront > > and > > > > > start providing feature parity with HBase > > > > > > > > > > or > > > > > > > > > > 2- Remove the feature and place emphasis on upstream encryption > > offerings > > > > > > > > > > Any input is welcomed & appreciated! > > > > > > > > > > > > --001a113ce054808d9a052393119c--