[
https://issues.apache.org/jira/browse/RANGER-3641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17898307#comment-17898307
]
Vikas Kumar commented on RANGER-3641:
-------------------------------------
*Update:*
{*}Review{*}: [https://reviews.apache.org/r/75272/]
*Description:*
New KMS API to generate EDEK and DEK in one requestto avoid two trips to KMS
Many times client app creates EDEK when they need to encrypt any data. And at
that time, they need to make one call to get EDEK and subsequent call to
decrypt that EDEK to get plain DEK. And there it makes sense to have one API
that should return both EDEK and DEK together, saving one trip to KMS.
I saw similar API in AWS KMS API, it returns both.
Existing generateEncryptionkey is still there, and can be used for bulk EDEK
generation, may be for not immediate consumption, or to keep in client caching
and decrypt it when required.
> Add API to enhance KMS capabilities
> -----------------------------------
>
> Key: RANGER-3641
> URL: https://issues.apache.org/jira/browse/RANGER-3641
> Project: Ranger
> Issue Type: Improvement
> Components: kms
> Affects Versions: 3.0.0, 2.3.0
> Reporter: kirby zhou
> Assignee: Vikas Kumar
> Priority: Major
>
> Some APIs are very useful.
>
> * GenerateEEK with decrypted EEK returned together
> Like:
> {EEK, EK} = GenerateEEK2(KeyVersion)
> This helps Program which request a EEK to encrypt something itself such like
> KUDU or MySQL.
> It now takes 2 RPC calls to complete encryption. If a API can return EEK and
> EK together, we can save 1 RPC call.
>
> * Simple Encryption and Decryption API
> Like:
> {EncryptedData} = Encrypt(KeyVersion, PlainData)
> {PlainData} = Decrypt(KeyVersion, EncryptedData)
> This helps Ranger KMS works for some simple situation such as encrypting
> password.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
