Package org.apache.hadoop.hbase.security

Class EncryptionUtil

java.lang.Object
org.apache.hadoop.hbase.security.EncryptionUtil
@Private @Evolving public final class EncryptionUtil extends Object
Some static utility methods for encryption uses in hbase-client.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    private static final org.slf4j.Logger
    LOG
     

  • Constructor Summary

    Constructors
    Modifier
    Constructor
    Description
    private
    EncryptionUtil()
    Private constructor to keep this class from being instantiated.

  • Method Summary

    Modifier and Type
    Method
    Description
    static CryptoAES
    createCryptoAES(org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.CryptoCipherMeta cryptoCipherMeta, org.apache.hadoop.conf.Configuration conf)
    Helper to create an instance of CryptoAES.
    private static Key
    getUnwrapKey(org.apache.hadoop.conf.Configuration conf, String subject, org.apache.hadoop.hbase.shaded.protobuf.generated.EncryptionProtos.WrappedKey wrappedKey, Cipher cipher, Key kek)
     
    static Key
    unwrapKey(org.apache.hadoop.conf.Configuration conf, byte[] keyBytes)
    Helper for unwrapKey(Configuration, String, byte[]) which automatically uses the configured master and alternative keys, rather than having to specify a key type to unwrap with.
    static Key
    unwrapKey(org.apache.hadoop.conf.Configuration conf, String subject, byte[] value)
    Unwrap a key by decrypting it with the secret key of the given subject.
    static Key
    unwrapKey(org.apache.hadoop.conf.Configuration conf, String subject, byte[] value, Key kek)
    Unwrap a key by decrypting it with the secret key of the given subject.
    static Key
    unwrapWALKey(org.apache.hadoop.conf.Configuration conf, String subject, byte[] value)
    Unwrap a wal key by decrypting it with the secret key of the given subject.
    static byte[]
    wrapKey(org.apache.hadoop.conf.Configuration conf, byte[] key, String algorithm)
    Protect a key by encrypting it with the secret key of the given subject.
    static byte[]
    wrapKey(org.apache.hadoop.conf.Configuration conf, String subject, Key key)
    Protect a key by encrypting it with the secret key of the given subject.
    static byte[]
    wrapKey(org.apache.hadoop.conf.Configuration conf, String subject, Key key, Key kek)
    Protect a key by encrypting it with the secret key of the given subject or kek.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • LOG

      private static final org.slf4j.Logger LOG

  • Constructor Details

    • EncryptionUtil

      private EncryptionUtil()
      Private constructor to keep this class from being instantiated.

  • Method Details

    • wrapKey

      public static byte[] wrapKey(org.apache.hadoop.conf.Configuration conf, byte[] key, String algorithm) throws IOException
      Protect a key by encrypting it with the secret key of the given subject. The configuration must be set up correctly for key alias resolution.
      Parameters:
      conf - configuration
      key - the raw key bytes
      algorithm - the algorithm to use with this key material
      Returns:
      the encrypted key bytes
      Throws:
      IOException

    • wrapKey

      public static byte[] wrapKey(org.apache.hadoop.conf.Configuration conf, String subject, Key key) throws IOException
      Protect a key by encrypting it with the secret key of the given subject. The configuration must be set up correctly for key alias resolution.
      Parameters:
      conf - configuration
      subject - subject key alias
      key - the key
      Returns:
      the encrypted key bytes
      Throws:
      IOException

    • wrapKey

      public static byte[] wrapKey(org.apache.hadoop.conf.Configuration conf, String subject, Key key, Key kek) throws IOException
      Protect a key by encrypting it with the secret key of the given subject or kek. The configuration must be set up correctly for key alias resolution. Only one of the subject or kek needs to be specified and the other one can be null.
      Parameters:
      conf - configuration
      subject - subject key alias
      key - the key
      kek - the key encryption key
      Returns:
      the encrypted key bytes
      Throws:
      IOException

    • unwrapKey

      public static Key unwrapKey(org.apache.hadoop.conf.Configuration conf, String subject, byte[] value) throws IOException, KeyException
      Unwrap a key by decrypting it with the secret key of the given subject. The configuration must be set up correctly for key alias resolution.
      Parameters:
      conf - configuration
      subject - subject key alias
      value - the encrypted key bytes
      Returns:
      the raw key bytes
      Throws:
      IOException
      KeyException

    • unwrapKey

      public static Key unwrapKey(org.apache.hadoop.conf.Configuration conf, String subject, byte[] value, Key kek) throws IOException, KeyException
      Unwrap a key by decrypting it with the secret key of the given subject. The configuration must be set up correctly for key alias resolution. Only one of the subject or kek needs to be specified and the other one can be null.
      Parameters:
      conf - configuration
      subject - subject key alias
      value - the encrypted key bytes
      kek - the key encryption key
      Returns:
      the raw key bytes
      Throws:
      IOException
      KeyException

    • getUnwrapKey

      private static Key getUnwrapKey(org.apache.hadoop.conf.Configuration conf, String subject, org.apache.hadoop.hbase.shaded.protobuf.generated.EncryptionProtos.WrappedKey wrappedKey, Cipher cipher, Key kek) throws IOException, KeyException
      Throws:
      IOException
      KeyException

    • unwrapWALKey

      public static Key unwrapWALKey(org.apache.hadoop.conf.Configuration conf, String subject, byte[] value) throws IOException, KeyException
      Unwrap a wal key by decrypting it with the secret key of the given subject. The configuration must be set up correctly for key alias resolution.
      Parameters:
      conf - configuration
      subject - subject key alias
      value - the encrypted key bytes
      Returns:
      the raw key bytes
      Throws:
      IOException - if key is not found for the subject, or if some I/O error occurs
      KeyException - if fail to unwrap the key

    • unwrapKey

      public static Key unwrapKey(org.apache.hadoop.conf.Configuration conf, byte[] keyBytes) throws IOException
      Helper for unwrapKey(Configuration, String, byte[]) which automatically uses the configured master and alternative keys, rather than having to specify a key type to unwrap with. The configuration must be set up correctly for key alias resolution.
      Parameters:
      conf - the current configuration
      keyBytes - the key encrypted by master (or alternative) to unwrap
      Returns:
      the key bytes, decrypted
      Throws:
      IOException - if the key cannot be unwrapped

    • createCryptoAES

      public static CryptoAES createCryptoAES(org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.CryptoCipherMeta cryptoCipherMeta, org.apache.hadoop.conf.Configuration conf) throws IOException
      Helper to create an instance of CryptoAES.
      Parameters:
      conf - The current configuration.
      cryptoCipherMeta - The metadata for create CryptoAES.
      Returns:
      The instance of CryptoAES.
      Throws:
      IOException - if create CryptoAES failed