accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] milleruntime commented on a change in pull request #108: Add documentation for crypto
Date Mon, 01 Oct 2018 15:15:05 GMT
milleruntime commented on a change in pull request #108: Add documentation for crypto
URL: https://github.com/apache/accumulo-website/pull/108#discussion_r221647965
 
 

 ##########
 File path: _docs-2-0/administration/crypto.md
 ##########
 @@ -0,0 +1,108 @@
+---
+title: On Disk Encryption
+category: administration
+order: 14
+---
+
+For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk
encryption was reworked 
+for 2.0, making it easier to configure and more secure.  The files that can be encrypted
include: [RFiles][design] and Write Ahead Logs (WALs).
+For information on encrypting data over the wire see the section on [SSL].  For information
on cryptographic client-server authentication see the section on [Kerberos].
+
+## Configuration
+
+To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is
initialized.  If on disk 
+encryption is enabled on an existing cluster, only files created after it is enabled will
be encrypted 
+(root and metadata tables will not be encrypted in this case) and existing data won't be
encrypted until compaction.  To configure on disk encryption, add the 
+{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value
of this property is the
+class name of the service which will perform crypto on RFiles and WALs. 
+```
+instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+```
+Out of the box, Accumulo provides the `AESCryptoService` for basic encryption needs.  This
class provides AES encryption 
+with Galois/Counter Mode (GCM) for RFiles and Cipher Block Chaining (CBC) mode for WALs.
 The additional properties 
+below are required by this crypto service to be set using the {% plink instance.crypto.opts.*
%} prefix.
+```
+instance.crypto.opts.key.provider=uri
+instance.crypto.opts.key.location=file:///secure/path/to/crypto-key-file
+```
+The first property tells the crypto service how it will get the key encryption key.  The
second property tells the service 
+where to find the key.  For now, the only valid values are "uri" and the path to the key
file. The key file can be 16 or 32 bytes. 
+Initializing Accumulo after these instance properties are set, will enable on disk encryption
across your entire cluster.
 
 Review comment:
   @PircDef are there any techniques that you could recommend for creating keys?  If not I
could include what I have done for testing... 
   
   echo -n "sixteenbytekey4u" > key-file

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message