vikaskr22 opened a new pull request, #593:
URL: https://github.com/apache/ranger/pull/593
…PBE encryption
## What changes were proposed in this pull request?
Currently Ranger KMS supports following Password based encryption (PBE) to
encrypt/decrypt MasterKey and Zone keys:
**PBEWithMD5AndDES, PBEWithMD5AndTripleDES**
Both algorithms are weak .
With this commit, now KMS will start supporting PBKDF2WithHmacSHA256
algorithm if FIPS is enabled. This algorithm is FIPS complaint and being
provided by many SecurityProviders.
Currently I have kept this if FIPS is enabled, means, if keyStoreType is
**"bcfks"**
So if FIPS is enabled, then following will happen:
1. All new keys material will be encrypted/decrypted using
PBKDF2WithHmacSHA256 algorithm.
2. Any older keys (including MasterKey) will be re-encrypted using
PBKDF2WithHmacSHA256 on KMS service start. This is an one time operation. Here
re-encryption means, decrypting the older keys using older algorithm and
re-encryption it using the current PBKDF2WithHmacSHA256 algorithm.
Please note that key material is not changing, only it is being re-encrypted
before storing into DB. hence, there is no risk of data loss.
## How was this patch tested?
1. basic mvn build and UnitTest cases.
2. Manual testing in docker setup. I used following steps to prepare docker
container for this testing:
- I used **bc-fips-2.0.0.jar** as SecurityProvider for
PBKDF2WithHmacSHA256
- Copied **bc-fips-2.0.0.jar** jar to the
`/usr/lib/jvm/java-8-openjdk-arm64/jre/lib/ext/`
- Update java.security file at
`/etc/java-8-openjdk/security/java.security` to contain following content:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
org.bouncycastle.fips.approved_only=true
- **For rangerkms.jceks** (that contains MasterKey password and DB
password) : created corresponding keystore in bcfks formart named
rangerkms.localbcfks
- **dbks-site.xml** : Updated following properties in this file:
Key: ranger.ks.jpa.jdbc.credential.provider.path
Value:
localbcfks://file/opt/ranger/kms/ews/webapp/WEB-INF/classes/conf/rangerkms.localbcfks
Key: ranger.keystore.file.type
Value: bcfks
**Scenarios Tested:**
1. **Fresh setup:** Masterkey and Zone keys got created using latest
algorithm. And basic encryption/decryption was working fine.
2. **Cluster having old keys with older algorithm:**
- Here created one zone key (zonekey1) and one encryption Zone and
copied one test file inside the zone key
- Means, file got encrypted using DEK , and this DEK was encrypted
using corresponding zone keys . This zone keys was encrypted using
PBEWithMD5AndDES.
- Then, created a new ranger-kms docker image with new changes. And
started the container.
- Here Masterkey and all zone keys got re-encypted using new
algorithm.
- Files kept inside encryptionZone was accessible after keys
re-encryption.
- Also, basic key life cycle like create/rotate/delete was also
working.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
