You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by GitBox <gi...@apache.org> on 2018/05/04 23:38:45 UTC
[GitHub] ctubbsii commented on a change in pull request #465: Initial ideas
for new Encryption interface
ctubbsii commented on a change in pull request #465: Initial ideas for new Encryption interface
URL: https://github.com/apache/accumulo/pull/465#discussion_r186242151
##########
File path: core/src/main/java/org/apache/accumulo/core/conf/Property.java
##########
@@ -45,78 +45,14 @@
// Crypto-related properties
@Experimental
CRYPTO_PREFIX("crypto.", null, PropertyType.PREFIX,
- "Properties in this category related to the configuration of both default and custom crypto"
- + " modules."),
+ "Properties related to encryption."),
@Experimental
- CRYPTO_MODULE_CLASS("crypto.module.class", "NullCryptoModule", PropertyType.STRING,
- "Fully qualified class name of the class that implements the CryptoModule"
- + " interface, to be used in setting up encryption at rest for the WAL and"
- + " (future) other parts of the code."),
+ CRYPTO_STRATEGY("crypto.strategy", "org.apache.accumulo.core.security.crypto.DefaultEncryptionStrategy", PropertyType.CLASSNAME, "Encryption strategy"),
@Experimental
- CRYPTO_CIPHER_SUITE("crypto.cipher.suite", "NullCipher", PropertyType.STRING,
- "Describes the cipher suite to use for rfile encryption. The value must"
- + " be either NullCipher or in the form of algorithm/mode/padding, e.g."
- + " AES/CBC/NoPadding"),
+ CRYPTO_WAL_ENABLED("crypto.wal.enabled", "false", PropertyType.BOOLEAN, "Enable encryption for Write Ahead Logs."),
@Experimental
- CRYPTO_WAL_CIPHER_SUITE("crypto.wal.cipher.suite", "", PropertyType.STRING,
- "Describes the cipher suite to use for the write-ahead log. Defaults to"
- + " 'cyrpto.cipher.suite' and will use that value for WAL encryption unless"
- + " otherwise specified. Valid suite values include: an empty string,"
- + " NullCipher, or a string the form of algorithm/mode/padding, e.g."
- + " AES/CBC/NOPadding"),
- @Experimental
- CRYPTO_CIPHER_KEY_ALGORITHM_NAME("crypto.cipher.key.algorithm.name", "NullCipher",
- PropertyType.STRING,
- "States the name of the algorithm used for the key for the corresponding"
- + " cipher suite. The key type must be compatible with the cipher suite."),
- @Experimental
- CRYPTO_BLOCK_STREAM_SIZE("crypto.block.stream.size", "1K", PropertyType.BYTES,
- "The size of the buffer above the cipher stream. Used for reading files"
- + " and padding walog entries."),
- @Experimental
- CRYPTO_CIPHER_KEY_LENGTH("crypto.cipher.key.length", "128", PropertyType.STRING,
- "Specifies the key length *in bits* to use for the symmetric key, "
- + "should probably be 128 or 256 unless you really know what you're doing"),
- @Experimental
- CRYPTO_SECURITY_PROVIDER("crypto.security.provider", "", PropertyType.STRING,
- "States the security provider to use, and defaults to the system configured provider"),
- @Experimental
- CRYPTO_SECURE_RNG("crypto.secure.rng", "SHA1PRNG", PropertyType.STRING,
- "States the secure random number generator to use, and defaults to the built-in SHA1PRNG"),
- @Experimental
- CRYPTO_SECURE_RNG_PROVIDER("crypto.secure.rng.provider", "SUN", PropertyType.STRING,
- "States the secure random number generator provider to use."),
- @Experimental
- CRYPTO_SECRET_KEY_ENCRYPTION_STRATEGY_CLASS("crypto.secret.key.encryption.strategy.class",
- "NullSecretKeyEncryptionStrategy", PropertyType.STRING,
- "The class Accumulo should use for its key encryption strategy."),
- @Experimental
- CRYPTO_DEFAULT_KEY_STRATEGY_HDFS_URI("crypto.default.key.strategy.hdfs.uri", "",
- PropertyType.STRING,
- "The path relative to the top level instance directory (instance.dfs.dir) where to store"
- + " the key encryption key within HDFS."),
- @Experimental
- CRYPTO_DEFAULT_KEY_STRATEGY_KEY_LOCATION("crypto.default.key.strategy.key.location",
- "/crypto/secret/keyEncryptionKey", PropertyType.ABSOLUTEPATH,
- "The path relative to the top level instance directory (instance.dfs.dir) where to store"
- + " the key encryption key within HDFS."),
- @Experimental
- CRYPTO_DEFAULT_KEY_STRATEGY_CIPHER_SUITE("crypto.default.key.strategy.cipher.suite", "NullCipher",
- PropertyType.STRING,
- "The cipher suite to use when encrypting session keys with a key"
- + " encryption keyThis should be set to match the overall encryption"
- + " algorithm but with ECB mode and no padding unless you really know what"
- + " you're doing and are sure you won't break internal file formats"),
- @Experimental
- CRYPTO_OVERRIDE_KEY_STRATEGY_WITH_CONFIGURED_STRATEGY(
- "crypto.override.key.strategy.with.configured.strategy", "false", PropertyType.BOOLEAN,
- "The default behavior is to record the key encryption strategy with the"
- + " encrypted file, and continue to use that strategy for the life of that"
- + " file. Sometimes, you change your strategy and want to use the new"
- + " strategy, not the old one. (Most commonly, this will be because you have"
- + " moved key material from one spot to another.) If you want to override"
- + " the recorded key strategy with the one in the configuration file, set"
- + " this property to true."),
+ CRYPTO_RFILE_ENABLED("crypto.rfile.enabled", "false", PropertyType.BOOLEAN, "Enable encryption for R-Files."),
Review comment:
Eventually, I think we want this to be per-table configuration.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services