Package org.apache.hadoop.crypto.key

Class KeyProviderCryptoExtension

java.lang.Object
org.apache.hadoop.crypto.key.KeyProvider
org.apache.hadoop.crypto.key.KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>
org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
All Implemented Interfaces:
Closeable, AutoCloseable
@Private public class KeyProviderCryptoExtension extends KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>
A KeyProvider with Cryptographic Extensions specifically for generating and decrypting encrypted encryption keys.

  • Field Details

  • Constructor Details

  • Method Details

    • warmUpEncryptedKeys

      public void warmUpEncryptedKeys(String... keyNames) throws IOException
      Notifies the Underlying CryptoExtension implementation to warm up any implementation specific caches for the specified KeyVersions
      Parameters:
      keyNames - Arrays of key Names
      Throws:
      IOException - raised on errors performing I/O.

    • generateEncryptedKey

      public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException
      Generates a key material and encrypts it using the given key version name and initialization vector. The generated key material is of the same length as the KeyVersion material and is encrypted using the same cipher.

      NOTE: The generated key is not stored by the KeyProvider

      Parameters:
      encryptionKeyName - The latest KeyVersion of this key's material will be encrypted.
      Returns:
      EncryptedKeyVersion with the generated key material, the version name is 'EEK' (for Encrypted Encryption Key)
      Throws:
      IOException - thrown if the key material could not be generated
      GeneralSecurityException - thrown if the key material could not be encrypted because of a cryptographic issue.

    • decryptEncryptedKey

      public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKey) throws IOException, GeneralSecurityException
      Decrypts an encrypted byte[] key material using the given a key version name and initialization vector.
      Parameters:
      encryptedKey - contains keyVersionName and IV to decrypt the encrypted key material
      Returns:
      a KeyVersion with the decrypted key material, the version name is 'EK' (For Encryption Key)
      Throws:
      IOException - thrown if the key material could not be decrypted
      GeneralSecurityException - thrown if the key material could not be decrypted because of a cryptographic issue.

    • reencryptEncryptedKey

      public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException
      Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.

      If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

      NOTE: The generated key is not stored by the KeyProvider

      Parameters:
      ekv - The EncryptedKeyVersion containing keyVersionName and IV.
      Returns:
      The re-encrypted EncryptedKeyVersion.
      Throws:
      IOException - If the key material could not be re-encrypted
      GeneralSecurityException - If the key material could not be re-encrypted because of a cryptographic issue.

    • drain

      public void drain(String keyName)
      Calls KeyProviderCryptoExtension.CryptoExtension.drain(String) for the given key name on the underlying KeyProviderCryptoExtension.CryptoExtension.
      Parameters:
      keyName - key name.

    • reencryptEncryptedKeys

      public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs) throws IOException, GeneralSecurityException
      Batched version of reencryptEncryptedKey(EncryptedKeyVersion).

      For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

      NOTE: The generated key is not stored by the KeyProvider

      Parameters:
      ekvs - List containing the EncryptedKeyVersion's
      Throws:
      IOException - If any EncryptedKeyVersion could not be re-encrypted
      GeneralSecurityException - If any EncryptedKeyVersion could not be re-encrypted because of a cryptographic issue.

    • createKeyProviderCryptoExtension

      public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(KeyProvider keyProvider)
      Creates a KeyProviderCryptoExtension using a given KeyProvider.

      If the given KeyProvider implements the KeyProviderCryptoExtension.CryptoExtension interface the KeyProvider itself will provide the extension functionality. If the given KeyProvider implements the KeyProviderExtension interface and the KeyProvider being extended by the KeyProvider implements the KeyProviderCryptoExtension.CryptoExtension interface, the KeyProvider being extended will provide the extension functionality. Otherwise, a default extension implementation will be used.

      Parameters:
      keyProvider - KeyProvider to use to create the KeyProviderCryptoExtension extension.
      Returns:
      a KeyProviderCryptoExtension instance using the given KeyProvider.

    • close

      public void close() throws IOException
      Description copied from class: KeyProvider
      Can be used by implementing classes to close any resources that require closing
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Overrides:
      close in class KeyProvider
      Throws:
      IOException