hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashish Singhi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-13002) Make encryption cipher configurable
Date Thu, 12 Feb 2015 15:10:12 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318352#comment-14318352
] 

Ashish Singhi commented on HBASE-13002:
---------------------------------------

Thanks [~andrew.purtell@gmail.com] for the review.
bq. Yes, but the default is HConstants.DEFAULT_CIPHER which currently is "AES" but could change.
Introduce something like HConstants.CIPHER_AES and use that as the default config value for
"hbase.crypto.key.algorithm"
Addressed in v2. Just renamed the HConstants.DEFAULT_CIPHER to HConstants.CIPHER_AES.

I tried to code the fallback logic for cipher algorithm as you suggested. I have added the
logic in {{Encrption#decryptWithSubjectKey}} for {{decrypt}} api but not where we already
have fallback logic for master key, because if decryption fails it will throw IOE and {{EncryptionUtil#unwrap}}
throws IOE from two different places and we will not be able to find whether data decryption
was failed or not and unnecessarily may try for alternate cipher algorithm.
Let me know if its ok or any other way we could do better.

Also while going through the code I found that we are using {{hbase.crypto.wal.algorithm}}
in {{SecureProtobufLogWriter}} for encrypting the data but we are using {{hbase.crypto.key.algorithm}}
in {{SecureProtobufLogReader}} while decrypting the data. What if user configures two different
cipher algorithms to this configurations ? Is this intentional ?

> Make encryption cipher configurable
> -----------------------------------
>
>                 Key: HBASE-13002
>                 URL: https://issues.apache.org/jira/browse/HBASE-13002
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Ashish Singhi
>            Assignee: Ashish Singhi
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.11
>
>         Attachments: HBASE-13002-v1.patch, HBASE-13002-v2.patch, HBASE-13002.patch
>
>
> Make encryption cipher configurable currently it is hard coded to AES, so that user can
configure his/her own algorithm.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message