hbase

History

Mate Szalay-Beko 9fe62c3ec6 HBASE-25181 Add options for disabling column family encryption and choosing hash algorithm for wrapped encryption keys. Prior to this patch hbase always used the MD5 hash algorithm to store a hash for encryption keys. This hash is needed to verify the secret key of the subject. (e.g. making sure that the same secrey key is used during encrypted HFile read and write). The MD5 algorithm is considered weak, and can not be used in some (e.g. FIPS compliant) clusters. In this patch we: - add a config parameter to globally enable/disable column family encryption (def enabled) - introduce a backward compatible way of specifying the hash algorithm. This enable us to use newer and more secure hash algorithms like SHA-384 or SHA-512 (which are FIPS compliant). - add a config parameter to fail if an hfile is encountered that uses a different hash algorithm than the one currently configured to ease validation after migrating key hash algorithms (def disabled) Closes #2539 Signed-off-by: Sean Busbey <busbey@apache.org> Signed-off-by: Esteban Gutierrez <esteban@apache.org> (cherry picked from commit `6a5c928539`)	2020-11-09 14:15:22 -06:00
..
src	HBASE-25181 Add options for disabling column family encryption and choosing hash algorithm for wrapped encryption keys.	2020-11-09 14:15:22 -06:00
pom.xml	HBASE-24309 Avoid introducing log4j and slf4j-log4j dependencies for … (#1697 )	2020-05-13 17:59:21 +08:00

HBASE-25181 Add options for disabling column family encryption and choosing hash algorithm for wrapped encryption keys.

Prior to this patch hbase always used the MD5 hash algorithm to store a hash for encryption keys.
This hash is needed to verify the secret key of the subject. (e.g. making
sure that the same secrey key is used during encrypted HFile read and write).
The MD5 algorithm is considered weak, and can not be used in some
(e.g. FIPS compliant) clusters.

In this patch we:
- add a config parameter to globally enable/disable column family encryption (def enabled)
- introduce a backward compatible way of specifying the hash algorithm.
  This enable us to use newer and more secure hash algorithms like SHA-384
  or SHA-512 (which are FIPS compliant).
- add a config parameter to fail if an hfile is encountered that uses a
  different hash algorithm than the one currently configured to ease validation after
  migrating key hash algorithms (def disabled)

Closes #2539

Signed-off-by: Sean Busbey <busbey@apache.org>
Signed-off-by: Esteban Gutierrez <esteban@apache.org>
(cherry picked from commit 6a5c928539)

2020-11-09 14:15:22 -06:00

src HBASE-25181 Add options for disabling column family encryption and choosing hash algorithm for wrapped encryption keys. 2020-11-09 14:15:22 -06:00

pom.xml HBASE-24309 Avoid introducing log4j and slf4j-log4j dependencies for … (#1697 ) 2020-05-13 17:59:21 +08:00