milleruntime commented on a change in pull request #465: Initial ideas for new
Encryption interface
URL: https://github.com/apache/accumulo/pull/465#discussion_r187446071
##########
File path: core/src/main/java/org/apache/accumulo/core/conf/Property.java
##########
@@ -45,78 +45,14 @@
// Crypto-related properties
@Experimental
CRYPTO_PREFIX("crypto.", null, PropertyType.PREFIX,
- "Properties in this category related to the configuration of both
default and custom crypto"
- + " modules."),
+ "Properties related to encryption."),
@Experimental
- CRYPTO_MODULE_CLASS("crypto.module.class", "NullCryptoModule",
PropertyType.STRING,
- "Fully qualified class name of the class that implements the
CryptoModule"
- + " interface, to be used in setting up encryption at rest for the
WAL and"
- + " (future) other parts of the code."),
+ CRYPTO_STRATEGY("crypto.strategy",
"org.apache.accumulo.core.security.crypto.DefaultEncryptionStrategy",
PropertyType.CLASSNAME, "Encryption strategy"),
@Experimental
- CRYPTO_CIPHER_SUITE("crypto.cipher.suite", "NullCipher", PropertyType.STRING,
- "Describes the cipher suite to use for rfile encryption. The value must"
- + " be either NullCipher or in the form of algorithm/mode/padding,
e.g."
- + " AES/CBC/NoPadding"),
+ CRYPTO_WAL_ENABLED("crypto.wal.enabled", "false", PropertyType.BOOLEAN,
"Enable encryption for Write Ahead Logs."),
@Experimental
- CRYPTO_WAL_CIPHER_SUITE("crypto.wal.cipher.suite", "", PropertyType.STRING,
- "Describes the cipher suite to use for the write-ahead log. Defaults to"
- + " 'cyrpto.cipher.suite' and will use that value for WAL encryption
unless"
- + " otherwise specified. Valid suite values include: an empty
string,"
- + " NullCipher, or a string the form of algorithm/mode/padding, e.g."
- + " AES/CBC/NOPadding"),
- @Experimental
- CRYPTO_CIPHER_KEY_ALGORITHM_NAME("crypto.cipher.key.algorithm.name",
"NullCipher",
- PropertyType.STRING,
- "States the name of the algorithm used for the key for the corresponding"
- + " cipher suite. The key type must be compatible with the cipher
suite."),
- @Experimental
- CRYPTO_BLOCK_STREAM_SIZE("crypto.block.stream.size", "1K",
PropertyType.BYTES,
- "The size of the buffer above the cipher stream. Used for reading files"
- + " and padding walog entries."),
- @Experimental
- CRYPTO_CIPHER_KEY_LENGTH("crypto.cipher.key.length", "128",
PropertyType.STRING,
- "Specifies the key length *in bits* to use for the symmetric key, "
- + "should probably be 128 or 256 unless you really know what you're
doing"),
- @Experimental
- CRYPTO_SECURITY_PROVIDER("crypto.security.provider", "", PropertyType.STRING,
- "States the security provider to use, and defaults to the system
configured provider"),
- @Experimental
- CRYPTO_SECURE_RNG("crypto.secure.rng", "SHA1PRNG", PropertyType.STRING,
- "States the secure random number generator to use, and defaults to the
built-in SHA1PRNG"),
- @Experimental
- CRYPTO_SECURE_RNG_PROVIDER("crypto.secure.rng.provider", "SUN",
PropertyType.STRING,
- "States the secure random number generator provider to use."),
- @Experimental
-
CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS("crypto.secret.key.encryption.strategy.class",
- "NullSecretKeyEncryptionStrategy", PropertyType.STRING,
- "The class Accumulo should use for its key encryption strategy."),
- @Experimental
- CRYPTO_DEFAULT_KEY_STRATEGY_HDFS_URI("crypto.default.key.strategy.hdfs.uri",
"",
- PropertyType.STRING,
- "The path relative to the top level instance directory
(instance.dfs.dir) where to store"
- + " the key encryption key within HDFS."),
- @Experimental
-
CRYPTO_DEFAULT_KEY_STRATEGY_KEY_LOCATION("crypto.default.key.strategy.key.location",
- "/crypto/secret/keyEncryptionKey", PropertyType.ABSOLUTEPATH,
- "The path relative to the top level instance directory
(instance.dfs.dir) where to store"
- + " the key encryption key within HDFS."),
- @Experimental
-
CRYPTO_DEFAULT_KEY_STRATEGY_CIPHER_SUITE("crypto.default.key.strategy.cipher.suite",
"NullCipher",
- PropertyType.STRING,
- "The cipher suite to use when encrypting session keys with a key"
- + " encryption keyThis should be set to match the overall encryption"
- + " algorithm but with ECB mode and no padding unless you really
know what"
- + " you're doing and are sure you won't break internal file
formats"),
- @Experimental
- CRYPTO_OVERRIDE_KEY_STRATEGY_WITH_CONFIGURED_STRATEGY(
- "crypto.override.key.strategy.with.configured.strategy", "false",
PropertyType.BOOLEAN,
- "The default behavior is to record the key encryption strategy with the"
- + " encrypted file, and continue to use that strategy for the life
of that"
- + " file. Sometimes, you change your strategy and want to use the
new"
- + " strategy, not the old one. (Most commonly, this will be because
you have"
- + " moved key material from one spot to another.) If you want to
override"
- + " the recorded key strategy with the one in the configuration
file, set"
- + " this property to true."),
+ CRYPTO_RFILE_ENABLED("crypto.rfile.enabled", "false", PropertyType.BOOLEAN,
"Enable encryption for R-Files."),
Review comment:
I agree. I think for now I am going to make one "crypto.enabled" property.
So we can initialize the encryptionStrategy when its enabled. I am thinking
make the encryption per table as a follow on.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
