You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@iceberg.apache.org by GitBox <gi...@apache.org> on 2021/04/12 05:18:19 UTC

[GitHub] [iceberg] ggershinsky commented on pull request #2444: Core: add API for table metadata file encryption

ggershinsky commented on pull request #2444:
URL: https://github.com/apache/iceberg/pull/2444#issuecomment-817487539


   hi guys, regarding the table KEK (or MEK). I think we should always have an option (might be the default) to keep the master keys in a KMS, so they can be stored in the safe HSM modules, with their access control managed by the production-grade IAM systems, etc.
   
   Not all KMS systems support arbitrary key IDs. Some generate master keys with a system-specific ID, that then can be used by us for table encryption. In other words, we should have an option to take external key ID as an input (instead of generating the ID), and store it in table's configuration.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org