adamreeve commented on issue #7373: URL: https://github.com/apache/arrow-rs/issues/7373#issuecomment-2789376339
I don't think this is exactly what you have in mind, but I expect most users would want to use the key management tools API that is in progress and integrates with a KMS to encrypt and decrypt data encryption keys, rather than directly using the existing low level APIs. I have a PR open for that at https://github.com/apache/arrow-rs/pull/7387 When that is used, the master encryption keys aren't exposed to the process but are managed by a KMS which will usually perform the encryption and decryption remotely. It encrypts and decrypts data encryption keys that are randomly generated per file, rather than decrypting the Parquet data directly. So the only keys that are kept in memory are keys that are limited in scope to a single Parquet file, limiting the damage that can be done if a key is exposed. cc @ggershinsky you might have some thoughts on this topic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
