org.apache.hadoop.crypto.key

Class KeyProviderCryptoExtension.EncryptedKeyVersion

java.lang.Object

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion

Direct Known Subclasses:

KMSClientProvider.KMSEncryptedKeyVersion

Enclosing class:

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

public static class KeyProviderCryptoExtension.EncryptedKeyVersion
extends Object

An encrypted encryption key (EEK) and related information. An EEK must be decrypted using the key's encryption key before it can be used.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	KeyProviderCryptoExtension.EncryptedKeyVersion(String keyName, String encryptionKeyVersionName, byte[] encryptedKeyIv, KeyProvider.KeyVersion encryptedKeyVersion) Create a new EncryptedKeyVersion.

Method Summary

Methods

Modifier and Type	Method and Description
static KeyProviderCryptoExtension.EncryptedKeyVersion	createForDecryption(String keyName, String encryptionKeyVersionName, byte[] encryptedKeyIv, byte[] encryptedKeyMaterial) Factory method to create a new EncryptedKeyVersion that can then be passed into KeyProviderCryptoExtension.decryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion).
protected static byte[]	deriveIV(byte[] encryptedKeyIV) Derive the initialization vector (IV) for the encryption key from the IV of the encrypted key.
byte[]	getEncryptedKeyIv()
KeyProvider.KeyVersion	getEncryptedKeyVersion()
String	getEncryptionKeyName()
String	getEncryptionKeyVersionName()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

KeyProviderCryptoExtension.EncryptedKeyVersion

protected KeyProviderCryptoExtension.EncryptedKeyVersion(String keyName,
                                              String encryptionKeyVersionName,
                                              byte[] encryptedKeyIv,
                                              KeyProvider.KeyVersion encryptedKeyVersion)

Create a new EncryptedKeyVersion.

Parameters:

keyName - Name of the encryption key used to encrypt the encrypted key.

encryptionKeyVersionName - Version name of the encryption key used to encrypt the encrypted key.

encryptedKeyIv - Initialization vector of the encrypted key. The IV of the encryption key used to encrypt the encrypted key is derived from this IV.

encryptedKeyVersion - The encrypted encryption key version.

Method Detail

createForDecryption

public static KeyProviderCryptoExtension.EncryptedKeyVersion createForDecryption(String keyName,
                                                                 String encryptionKeyVersionName,
                                                                 byte[] encryptedKeyIv,
                                                                 byte[] encryptedKeyMaterial)

Factory method to create a new EncryptedKeyVersion that can then be passed into KeyProviderCryptoExtension.decryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion). Note that the fields of the returned EncryptedKeyVersion will only partially be populated; it is not necessarily suitable for operations besides decryption.

Parameters:

keyName - Key name of the encryption key use to encrypt the encrypted key.

encryptionKeyVersionName - Version name of the encryption key used to encrypt the encrypted key.

encryptedKeyIv - Initialization vector of the encrypted key. The IV of the encryption key used to encrypt the encrypted key is derived from this IV.

encryptedKeyMaterial - Key material of the encrypted key.

Returns:

EncryptedKeyVersion suitable for decryption.

getEncryptionKeyName

public String getEncryptionKeyName()

Returns:

Name of the encryption key used to encrypt the encrypted key.

getEncryptionKeyVersionName

public String getEncryptionKeyVersionName()

Returns:

Version name of the encryption key used to encrypt the encrypted key.

getEncryptedKeyIv

public byte[] getEncryptedKeyIv()

Returns:

Initialization vector of the encrypted key. The IV of the encryption key used to encrypt the encrypted key is derived from this IV.

getEncryptedKeyVersion

public KeyProvider.KeyVersion getEncryptedKeyVersion()

Returns:

The encrypted encryption key version.

deriveIV

protected static byte[] deriveIV(byte[] encryptedKeyIV)

Derive the initialization vector (IV) for the encryption key from the IV of the encrypted key. This derived IV is used with the encryption key to decrypt the encrypted key.

The alternative to this is using the same IV for both the encryption key and the encrypted key. Even a simple symmetric transformation like this improves security by avoiding IV re-use. IVs will also be fairly unique among different EEKs.

Parameters:

encryptedKeyIV - of the encrypted key (i.e. getEncryptedKeyIv())

Returns:

IV for the encryption key