[
https://issues.apache.org/jira/browse/HBASE-25181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Busbey updated HBASE-25181:
--------------------------------
Summary: Add options for disabling column family encryption and choosing
hash algorithm for wrapped encryption keys. (was: Configure hash algorithm in
wrapped encryption keys)
> Add options for disabling column family encryption and choosing hash
> algorithm for wrapped encryption keys.
> -----------------------------------------------------------------------------------------------------------
>
> Key: HBASE-25181
> URL: https://issues.apache.org/jira/browse/HBASE-25181
> Project: HBase
> Issue Type: Improvement
> Affects Versions: 2.3.2
> Reporter: Mate Szalay-Beko
> Assignee: Mate Szalay-Beko
> Priority: Major
>
> Currently we are using MD5 hash algorithm to store a hash for encryption
> keys. This hash is needed to verify the secret key of the subject. (e.g.
> making sure that the same secret key is used during encrypted HFile / WalFile
> read and write). The MD5 algorithm is considered weak, and can not be used in
> some (e.g. FIPS compliant) clusters. However, currently it is not possible to
> use different hash algorithm, or to disable the whole column family
> encryption globally on the cluster.
> In this patch:
> * I introduce a backward compatible way of specifying the hash algorithm.
> This enable us to use newer and/or more secure hash algorithms like SHA-384
> or SHA-512 (which are FIPS compliant).
> * I added a configuration parameter to globally enable / disable the column
> family encryption feature. (enabled by default for backward compatibility).
> This is handy if someone wants to operate an HBase cluster making sure that
> uses are only relying on other (e.g. HDFS based) encryption mechanisms.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
