Package org.apache.hadoop.crypto.key

Interface KeyProviderCryptoExtension.CryptoExtension

All Superinterfaces:
KeyProviderExtension.Extension
All Known Implementing Classes:
KMSClientProvider, LoadBalancingKMSClientProvider
Enclosing class:
KeyProviderCryptoExtension
public static interface KeyProviderCryptoExtension.CryptoExtension extends KeyProviderExtension.Extension
CryptoExtension is a type of Extension that exposes methods to generate EncryptedKeys and to decrypt the same.

  • Method Details

    • warmUpEncryptedKeys

      void warmUpEncryptedKeys(String... keyNames) throws IOException
      Calls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.
      Parameters:
      keyNames - Array of Key Names
      Throws:
      IOException - thrown if the key material could not be encrypted.

    • drain

      void drain(String keyName)
      Drains the Queue for the provided key.
      Parameters:
      keyName - the key to drain the Queue for

    • generateEncryptedKey

      KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException
      Generates a key material and encrypts it using the given key name. The generated key material is of the same length as the KeyVersion material of the latest key version of the key and is encrypted using the same cipher.

      NOTE: The generated key is not stored by the KeyProvider

      Parameters:
      encryptionKeyName - The latest KeyVersion of this key's material will be encrypted.
      Returns:
      EncryptedKeyVersion with the generated key material, the version name is 'EEK' (for Encrypted Encryption Key)
      Throws:
      IOException - thrown if the key material could not be generated
      GeneralSecurityException - thrown if the key material could not be encrypted because of a cryptographic issue.

    • decryptEncryptedKey

      KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException
      Decrypts an encrypted byte[] key material using the given key version name and initialization vector.
      Parameters:
      encryptedKeyVersion - contains keyVersionName and IV to decrypt the encrypted key material
      Returns:
      a KeyVersion with the decrypted key material, the version name is 'EK' (For Encryption Key)
      Throws:
      IOException - thrown if the key material could not be decrypted
      GeneralSecurityException - thrown if the key material could not be decrypted because of a cryptographic issue.

    • reencryptEncryptedKey

      KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException
      Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.

      If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

      NOTE: The generated key is not stored by the KeyProvider

      Parameters:
      ekv - The EncryptedKeyVersion containing keyVersionName and IV.
      Returns:
      The re-encrypted EncryptedKeyVersion.
      Throws:
      IOException - If the key material could not be re-encrypted.
      GeneralSecurityException - If the key material could not be re-encrypted because of a cryptographic issue.

    • reencryptEncryptedKeys

      void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs) throws IOException, GeneralSecurityException
      Batched version of reencryptEncryptedKey(EncryptedKeyVersion).

      For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

      NOTE: The generated key is not stored by the KeyProvider

      Parameters:
      ekvs - List containing the EncryptedKeyVersion's
      Throws:
      IOException - If any EncryptedKeyVersion could not be re-encrypted
      GeneralSecurityException - If any EncryptedKeyVersion could not be re-encrypted because of a cryptographic issue.