You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/04/06 07:14:00 UTC

[jira] [Commented] (KUDU-3316) Store encrypted encryption keys in encrypted files

    [ https://issues.apache.org/jira/browse/KUDU-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517893#comment-17517893 ] 

kirby zhou commented on KUDU-3316:
----------------------------------

I see you add a fixed 32 byte length of EEK in the header. 

 

In my opinion, EEK had better be of variable length.

 

If we use some kind of KMS to manage the EEK, the size of EEK may vary with different KMS. For example, KMS can encode the name and version of ZoneKey into EEK, and do some base64-encoding. The EEK may grows to hundreds of bytes.

 

Another problem，

The IV of AES-CTR is hard-coded in DoEncryptV,

  InlineBigEndianEncodeFixed64(&iv[0], 0);
  InlineBigEndianEncodeFixed64(&iv[8], offset / kEncryptionBlockSize);

From the security point of view, The first 8-octet of IV should be filled as random number and stored in file header.

 

> Store encrypted encryption keys in encrypted files
> --------------------------------------------------
>
>                 Key: KUDU-3316
>                 URL: https://issues.apache.org/jira/browse/KUDU-3316
>             Project: Kudu
>          Issue Type: Sub-task
>            Reporter: Attila Bukor
>            Assignee: Attila Bukor
>            Priority: Major
>




--
This message was sent by Atlassian Jira
(v8.20.1#820001)