[GitHub] [accumulo-website] cshannon opened a new pull request, #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon opened a new pull request, #342:
URL: https://github.com/apache/accumulo-website/pull/342

   Here are in progress updated for the documentation for per table crypto. Creating a draft pull request for now so it can be reviewed for errors.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] milleruntime commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

milleruntime commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r982414121


##########
_docs-2/configuration/server-properties.md:
##########
@@ -25,6 +25,7 @@ Below are properties set in `accumulo.properties` or the Accumulo shell that con
 | <a name="general_classpaths" class="prop"></a> general.classpaths | **Deprecated.** ~~This property is deprecated since 2.0.0. The class path should instead be configured by the launch environment (for example, accumulo-env.sh). A list of all of the places to look for a class. Order does matter, as it will look for the jar starting in the first location to the last. Supports full regex on filename alone.~~<br>~~**type:** STRING~~, ~~**zk mutable:** no~~, ~~**default value:** empty~~ |
 | <a name="general_context_class_loader_factory" class="prop"></a> general.context.class.loader.factory | Name of classloader factory to be used to create classloaders for named contexts, such as per-table contexts set by `table.class.loader.context`.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** empty |
 | <a name="general_custom_prefix" class="prop"></a> **general.custom.*** | Prefix to be used for user defined system-wide properties. This may be particularly useful for system-wide configuration for various user-implementations of pluggable Accumulo features, such as the balancer or volume chooser. |
+| <a name="general_custom_crypto_service" class="prop"></a> general.custom.crypto.service | **Experimental.** The class which executes on-disk file encryption. The default does nothing. To enable encryption, replace this classname with an implementation of theorg.apache.accumulo.core.spi.crypto.CryptoService interface.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** {% jlink -f org.apache.accumulo.core.spi.crypto.NoCryptoService %} |

Review Comment:
   This file is generated so the edit will have to go in Property.java. 
   `<!-- WARNING: Do not edit this file. It is a generated file that is copied from Accumulo build (from core/target/generated-docs) -->`
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] dlmarion commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

dlmarion commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981117948


##########
_docs-2/configuration/server-properties.md:
##########
@@ -25,6 +25,7 @@ Below are properties set in `accumulo.properties` or the Accumulo shell that con
 | <a name="general_classpaths" class="prop"></a> general.classpaths | **Deprecated.** ~~This property is deprecated since 2.0.0. The class path should instead be configured by the launch environment (for example, accumulo-env.sh). A list of all of the places to look for a class. Order does matter, as it will look for the jar starting in the first location to the last. Supports full regex on filename alone.~~<br>~~**type:** STRING~~, ~~**zk mutable:** no~~, ~~**default value:** empty~~ |
 | <a name="general_context_class_loader_factory" class="prop"></a> general.context.class.loader.factory | Name of classloader factory to be used to create classloaders for named contexts, such as per-table contexts set by `table.class.loader.context`.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** empty |
 | <a name="general_custom_prefix" class="prop"></a> **general.custom.*** | Prefix to be used for user defined system-wide properties. This may be particularly useful for system-wide configuration for various user-implementations of pluggable Accumulo features, such as the balancer or volume chooser. |
+| <a name="general_custom_crypto_service" class="prop"></a> general.custom.crypto.service | **Experimental.** The class which executes on-disk file encryption. The default does nothing. To enable encryption, replace this classname with an implementation of theorg.apache.accumulo.core.spi.crypto.CryptoService interface.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** {% jlink -f org.apache.accumulo.core.spi.crypto.NoCryptoService %} |

Review Comment:
   ```suggestion
   | <a name="general_custom_crypto_service" class="prop"></a> general.custom.crypto.service | **Experimental.** The class which executes on-disk file encryption. The default does nothing. To enable encryption, replace this classname with an implementation of the org.apache.accumulo.core.spi.crypto.CryptoService interface.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** {% jlink -f org.apache.accumulo.core.spi.crypto.NoCryptoService %} |
   ```



##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 

Review Comment:
   I think we should drop another note here that points people to _docs-2/administration/upgrading.md. Then, in upgrading.md we should add a warning that upgrading an encrypted instance to 2.1.0 is not currently supported.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] milleruntime commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

milleruntime commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981523980


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the
+{% plink table.crypto.opts.service %} property to a table. Example in the accumulo shell:
+```
+createtable table1 -prop table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService

Review Comment:
   This would be the same as any table properties set at the site configuration (accumulo.properites), all tables would get this property. You would still need to set the Factory for it to actually work though.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981525416


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the
+{% plink table.crypto.opts.service %} property to a table. Example in the accumulo shell:
+```
+createtable table1 -prop table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService

Review Comment:
   Ah @milleruntime  just beat me to it, so I guess it would apply to all tables.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] milleruntime commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

milleruntime commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r984747977


##########
_docs-2/configuration/server-properties.md:
##########
@@ -25,6 +25,7 @@ Below are properties set in `accumulo.properties` or the Accumulo shell that con
 | <a name="general_classpaths" class="prop"></a> general.classpaths | **Deprecated.** ~~This property is deprecated since 2.0.0. The class path should instead be configured by the launch environment (for example, accumulo-env.sh). A list of all of the places to look for a class. Order does matter, as it will look for the jar starting in the first location to the last. Supports full regex on filename alone.~~<br>~~**type:** STRING~~, ~~**zk mutable:** no~~, ~~**default value:** empty~~ |
 | <a name="general_context_class_loader_factory" class="prop"></a> general.context.class.loader.factory | Name of classloader factory to be used to create classloaders for named contexts, such as per-table contexts set by `table.class.loader.context`.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** empty |
 | <a name="general_custom_prefix" class="prop"></a> **general.custom.*** | Prefix to be used for user defined system-wide properties. This may be particularly useful for system-wide configuration for various user-implementations of pluggable Accumulo features, such as the balancer or volume chooser. |
+| <a name="general_custom_crypto_service" class="prop"></a> general.custom.crypto.service | **Experimental.** The class which executes on-disk file encryption. The default does nothing. To enable encryption, replace this classname with an implementation of theorg.apache.accumulo.core.spi.crypto.CryptoService interface.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** {% jlink -f org.apache.accumulo.core.spi.crypto.NoCryptoService %} |

Review Comment:
   Yeah. You can just have this PR modify the on-disk-encryption section.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] milleruntime commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

milleruntime commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r982434277


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 

Review Comment:
   The root and metadata tables should be encrypted once they are compacted, assuming the user configured it this way.
   ```suggestion
   created after it is enabled will be encrypted and existing data won't be encrypted until compaction. 
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] dlmarion commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

dlmarion commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981526544


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the
+{% plink table.crypto.opts.service %} property to a table. Example in the accumulo shell:
+```
+createtable table1 -prop table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService

Review Comment:
   thx. I'm working on integrating this into the terraform configuration. I did not put this property into accumulo.properties.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r984969177


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 

Review Comment:
   I'm adding some comments about this in my latest update but is there any advice we should give to people in this case? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on pull request #342: Per table crypto documentation updates

[GitBox <gi...@apache.org>]

cshannon commented on PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#issuecomment-1264430695

   I've made all the requested changes so this can be reviewed again and I can make any further updates.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] DomGarguilo commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

DomGarguilo commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981697278


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files

Review Comment:
   looks like there are multiple places that could make this change



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] milleruntime commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

milleruntime commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981148459


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -57,6 +91,13 @@ required to perform decryption. The FileDecrypter only has one method:
 ```
 For more help getting started see {% jlink org.apache.accumulo.core.security.crypto.impl.AESCryptoService %}.
 
+## Disabling Crypto
+
+Crypto can be disabled by setting the property `general.custom.crypto.enabled` to false.

Review Comment:
   See my comment here: https://github.com/apache/accumulo/issues/2930#issuecomment-1249615992



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#issuecomment-1258689484

   @milleruntime and @dlmarion - I had some time tonight so I started working on the documentation updates for crypto. I still need to do some more polishing and fill in some more details but feel free to take a look and see what you think so far. The main doc changes so far should be good enough at this point to set up instance wide or per table crypto now with the new properties.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] DomGarguilo commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

DomGarguilo commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981696402


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files

Review Comment:
   ```suggestion
   done by configuring a crypto service factory. If on-disk encryption is enabled on an existing cluster, only files
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] DomGarguilo commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

DomGarguilo commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981700023


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the
+{% plink table.crypto.opts.service %} property to a table. Example in the accumulo shell:
+```
+createtable table1 -prop table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
+```
+The PerTableCryptoServiceFactory also requires configuring a recovery and WAL crypto service by adding the following

Review Comment:
   ```suggestion
   The `PerTableCryptoServiceFactory` also requires configuring a recovery and WAL crypto service by adding the following
   ```



##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the

Review Comment:
   ```suggestion
   The `PerTableCryptoServiceFactory` requires configuring a crypto service to load for the table RFiles and this can be done by adding the
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r984732397


##########
_docs-2/configuration/server-properties.md:
##########
@@ -25,6 +25,7 @@ Below are properties set in `accumulo.properties` or the Accumulo shell that con
 | <a name="general_classpaths" class="prop"></a> general.classpaths | **Deprecated.** ~~This property is deprecated since 2.0.0. The class path should instead be configured by the launch environment (for example, accumulo-env.sh). A list of all of the places to look for a class. Order does matter, as it will look for the jar starting in the first location to the last. Supports full regex on filename alone.~~<br>~~**type:** STRING~~, ~~**zk mutable:** no~~, ~~**default value:** empty~~ |
 | <a name="general_context_class_loader_factory" class="prop"></a> general.context.class.loader.factory | Name of classloader factory to be used to create classloaders for named contexts, such as per-table contexts set by `table.class.loader.context`.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** empty |
 | <a name="general_custom_prefix" class="prop"></a> **general.custom.*** | Prefix to be used for user defined system-wide properties. This may be particularly useful for system-wide configuration for various user-implementations of pluggable Accumulo features, such as the balancer or volume chooser. |
+| <a name="general_custom_crypto_service" class="prop"></a> general.custom.crypto.service | **Experimental.** The class which executes on-disk file encryption. The default does nothing. To enable encryption, replace this classname with an implementation of theorg.apache.accumulo.core.spi.crypto.CryptoService interface.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** {% jlink -f org.apache.accumulo.core.spi.crypto.NoCryptoService %} |

Review Comment:
   @milleruntime - I assume I don't need to bother copying now and that we will just copy the generated file later when we are ready and things are finished from the final release?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] milleruntime commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

milleruntime commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r982440061


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the

Review Comment:
   You could just tell users to set the property, since there are multiple ways to do this.
   ```suggestion
   The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by setting the
   {% plink general.custom.crypto.service %} property.  The value of this property is the
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#issuecomment-1258692874

   I forgot to add I may have time to work on this PR a little bit more Wednesday, otherwise mostly I plan to finish it up on Friday morning this week so if you have any feedback before then that would be helpful.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981524573


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the
+{% plink table.crypto.opts.service %} property to a table. Example in the accumulo shell:
+```
+createtable table1 -prop table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService

Review Comment:
   I haven't tried that but I would assume it would do nothing and be ignored. That property should only apply at the per table context but @milleruntime can confirm or I can test it when I get a chance to verify.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981143284


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -57,6 +91,13 @@ required to perform decryption. The FileDecrypter only has one method:
 ```
 For more help getting started see {% jlink org.apache.accumulo.core.security.crypto.impl.AESCryptoService %}.
 
+## Disabling Crypto
+
+Crypto can be disabled by setting the property `general.custom.crypto.enabled` to false.

Review Comment:
   Good question, this was something quick that I used just to test if I could disable it last week and have things still work and this is a section that needs to be elaborated on and isn't quite finished. I will take a look tomorrow and see where it gets applied as off the top of my head I don't remember if this only works for instance wide crypto and if there is a different property for per table to disable.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] DomGarguilo commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

DomGarguilo commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981695562


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured

Review Comment:
   ```suggestion
   for 2.0, making it easier to configure and more secure.  Starting with 2.1, On Disk Encryption can now be configured
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] dlmarion commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

dlmarion commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981517484


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -5,23 +5,57 @@ order: 5
 ---
 
 For an additional layer of security, Accumulo can encrypt files stored on disk.  On Disk encryption was reworked 
-for 2.0, making it easier to configure and more secure.  The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
+for 2.0, making it easier to configure and more secure.  Starting with 2.1 On Disk Encryption can now be configured
+per table as well as for the entire instance (all tables). The files that can be encrypted include: [RFiles][design] and Write Ahead 
+Logs (WALs). NOTE: This feature is considered experimental. For more information, see the [notes below](#things-to-keep-in-mind).
 
 ## Configuration
 
-To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized.  If on disk 
-encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted 
-(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction.  To configure on disk encryption, add the 
-{% plink instance.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
+To encrypt tables on disk, encryption must be enabled before an Accumulo instance is initialized. This is
+done by configuring a crypto service factory. If on disk encryption is enabled on an existing cluster, only files
+created after it is enabled will be encrypted (root and metadata tables will not be encrypted in this case) and
+existing data won't be encrypted until compaction. 
+
+### Encrypting All Tables
+
+To encrypt all tables, the generic crypto service factory can be used, `GenericCryptoServiceFactory`. This factory
+is useful for general purpose on disk encryption with no table context.
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.GenericCryptoServiceFactory
+```
+
+The GenericCryptoServiceFactory requires configuring a crypto service to load and this can be done by adding the
+{% plink general.custom.crypto.service %} property to your `accumulo.properties` file.  The value of this property is the
 class name of the service which will perform crypto on RFiles and WALs. 
 ```
-instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
+general.custom.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 ```
+
+### Per Table Encryption
+
+To encrypt per table, the per table crypto service factory can be used, `PerTableCryptoServiceFactory`. This factory
+will load a crypto service configured by table. 
+```
+instance.crypto.opts.factory=org.apache.accumulo.core.spi.crypto.PerTableCryptoServiceFactory
+```
+
+The PerTableCryptoServiceFactory requires configuring a crypto service to load for the table RFiles and this can be done by adding the
+{% plink table.crypto.opts.service %} property to a table. Example in the accumulo shell:
+```
+createtable table1 -prop table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService

Review Comment:
   what happens if you set `table.crypto.opts.service=org.apache.accumulo.core.spi.crypto.AESCryptoService` in accumulo.properties? Are all tables encrypted then?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] cshannon commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

cshannon commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r984753683


##########
_docs-2/configuration/server-properties.md:
##########
@@ -25,6 +25,7 @@ Below are properties set in `accumulo.properties` or the Accumulo shell that con
 | <a name="general_classpaths" class="prop"></a> general.classpaths | **Deprecated.** ~~This property is deprecated since 2.0.0. The class path should instead be configured by the launch environment (for example, accumulo-env.sh). A list of all of the places to look for a class. Order does matter, as it will look for the jar starting in the first location to the last. Supports full regex on filename alone.~~<br>~~**type:** STRING~~, ~~**zk mutable:** no~~, ~~**default value:** empty~~ |
 | <a name="general_context_class_loader_factory" class="prop"></a> general.context.class.loader.factory | Name of classloader factory to be used to create classloaders for named contexts, such as per-table contexts set by `table.class.loader.context`.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** empty |
 | <a name="general_custom_prefix" class="prop"></a> **general.custom.*** | Prefix to be used for user defined system-wide properties. This may be particularly useful for system-wide configuration for various user-implementations of pluggable Accumulo features, such as the balancer or volume chooser. |
+| <a name="general_custom_crypto_service" class="prop"></a> general.custom.crypto.service | **Experimental.** The class which executes on-disk file encryption. The default does nothing. To enable encryption, replace this classname with an implementation of theorg.apache.accumulo.core.spi.crypto.CryptoService interface.<br>**type:** CLASSNAME, **zk mutable:** no, **default value:** {% jlink -f org.apache.accumulo.core.spi.crypto.NoCryptoService %} |

Review Comment:
   Sounds good, marking this as resolved.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] dlmarion commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

dlmarion commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r982483631


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -57,6 +91,13 @@ required to perform decryption. The FileDecrypter only has one method:
 ```
 For more help getting started see {% jlink org.apache.accumulo.core.security.crypto.impl.AESCryptoService %}.
 
+## Disabling Crypto
+
+Crypto can be disabled by setting the property `general.custom.crypto.enabled` to false.
+```
+general.custom.crypto.enabled=false
+```
+

Review Comment:
   We need to add a note / warning here. When utilities are run that do *not* connect to ZK (like `accumulo rile-info`), the encryption properties need to be passed to the utility. In the case of `rfile-info`, you can copy `accumulo.properties`, add the encryption parameters, and run `rfile-info` with the `-p` argument.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [accumulo-website] dlmarion commented on a diff in pull request #342: Per table crypto - work in progress

[GitBox <gi...@apache.org>]

dlmarion commented on code in PR #342:
URL: https://github.com/apache/accumulo-website/pull/342#discussion_r981126486


##########
_docs-2/security/on-disk-encryption.md:
##########
@@ -57,6 +91,13 @@ required to perform decryption. The FileDecrypter only has one method:
 ```
 For more help getting started see {% jlink org.apache.accumulo.core.security.crypto.impl.AESCryptoService %}.
 
+## Disabling Crypto
+
+Crypto can be disabled by setting the property `general.custom.crypto.enabled` to false.

Review Comment:
   Does this disable for the entire instance? Is there a way to disable for a table when using the PerTableCryptoServiceFactory?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org