Package org.apache.hadoop.crypto.key

Class KeyProviderCryptoExtension.EncryptedKeyVersion

java.lang.Object
org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion
Direct Known Subclasses:
KMSClientProvider.KMSEncryptedKeyVersion
Enclosing class:
KeyProviderCryptoExtension
public static class KeyProviderCryptoExtension.EncryptedKeyVersion extends Object
An encrypted encryption key (EEK) and related information. An EEK must be decrypted using the key's encryption key before it can be used.

  • Constructor Details

    • EncryptedKeyVersion

      protected EncryptedKeyVersion(String keyName, String encryptionKeyVersionName, byte[] encryptedKeyIv, KeyProvider.KeyVersion encryptedKeyVersion)
      Create a new EncryptedKeyVersion.
      Parameters:
      keyName - Name of the encryption key used to encrypt the encrypted key.
      encryptionKeyVersionName - Version name of the encryption key used to encrypt the encrypted key.
      encryptedKeyIv - Initialization vector of the encrypted key. The IV of the encryption key used to encrypt the encrypted key is derived from this IV.
      encryptedKeyVersion - The encrypted encryption key version.

  • Method Details

    • createForDecryption

      public static KeyProviderCryptoExtension.EncryptedKeyVersion createForDecryption(String keyName, String encryptionKeyVersionName, byte[] encryptedKeyIv, byte[] encryptedKeyMaterial)
      Factory method to create a new EncryptedKeyVersion that can then be passed into KeyProviderCryptoExtension.decryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion). Note that the fields of the returned EncryptedKeyVersion will only partially be populated; it is not necessarily suitable for operations besides decryption.
      Parameters:
      keyName - Key name of the encryption key use to encrypt the encrypted key.
      encryptionKeyVersionName - Version name of the encryption key used to encrypt the encrypted key.
      encryptedKeyIv - Initialization vector of the encrypted key. The IV of the encryption key used to encrypt the encrypted key is derived from this IV.
      encryptedKeyMaterial - Key material of the encrypted key.
      Returns:
      EncryptedKeyVersion suitable for decryption.

    • getEncryptionKeyName

      public String getEncryptionKeyName()
      Returns:
      Name of the encryption key used to encrypt the encrypted key.

    • getEncryptionKeyVersionName

      public String getEncryptionKeyVersionName()
      Returns:
      Version name of the encryption key used to encrypt the encrypted key.

    • getEncryptedKeyIv

      public byte[] getEncryptedKeyIv()
      Returns:
      Initialization vector of the encrypted key. The IV of the encryption key used to encrypt the encrypted key is derived from this IV.

    • getEncryptedKeyVersion

      public KeyProvider.KeyVersion getEncryptedKeyVersion()
      Returns:
      The encrypted encryption key version.

    • deriveIV

      protected static byte[] deriveIV(byte[] encryptedKeyIV)
      Derive the initialization vector (IV) for the encryption key from the IV of the encrypted key. This derived IV is used with the encryption key to decrypt the encrypted key.

      The alternative to this is using the same IV for both the encryption key and the encrypted key. Even a simple symmetric transformation like this improves security by avoiding IV re-use. IVs will also be fairly unique among different EEKs.

      Parameters:
      encryptedKeyIV - of the encrypted key (i.e. getEncryptedKeyIv())
      Returns:
      IV for the encryption key