org.apache.hadoop.crypto.key

Interface KeyProviderCryptoExtension.CryptoExtension

All Superinterfaces:

KeyProviderExtension.Extension

All Known Implementing Classes:

LoadBalancingKMSClientProvider

Enclosing class:

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

public static interface KeyProviderCryptoExtension.CryptoExtension
extends KeyProviderExtension.Extension

CryptoExtension is a type of Extension that exposes methods to generate EncryptedKeys and to decrypt the same.

Method Summary

Modifier and Type	Method and Description
KeyProvider.KeyVersion	decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) Decrypts an encrypted byte[] key material using the given key version name and initialization vector.
void	drain(String keyName) Drains the Queue for the provided key.
KeyProviderCryptoExtension.EncryptedKeyVersion	generateEncryptedKey(String encryptionKeyName) Generates a key material and encrypts it using the given key name.
KeyProviderCryptoExtension.EncryptedKeyVersion	reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.
void	reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs) Batched version of KeyProviderCryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion).
void	warmUpEncryptedKeys(String... keyNames) Calls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.

Method Detail

warmUpEncryptedKeys

void warmUpEncryptedKeys(String... keyNames)
                  throws IOException

Calls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.

Parameters:

keyNames - Array of Key Names

Throws:

IOException

drain

void drain(String keyName)

Drains the Queue for the provided key.

Parameters:

keyName - the key to drain the Queue for

generateEncryptedKey

KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
                                                             throws IOException,
                                                                    GeneralSecurityException

Generates a key material and encrypts it using the given key name. The generated key material is of the same length as the KeyVersion material of the latest key version of the key and is encrypted using the same cipher.

NOTE: The generated key is not stored by the KeyProvider

Parameters:

encryptionKeyName - The latest KeyVersion of this key's material will be encrypted.

Returns:

EncryptedKeyVersion with the generated key material, the version name is 'EEK' (for Encrypted Encryption Key)

Throws:

IOException - thrown if the key material could not be generated

GeneralSecurityException - thrown if the key material could not be encrypted because of a cryptographic issue.

decryptEncryptedKey

KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
                                    throws IOException,
                                           GeneralSecurityException

Decrypts an encrypted byte[] key material using the given key version name and initialization vector.

Parameters:

encryptedKeyVersion - contains keyVersionName and IV to decrypt the encrypted key material

Returns:

a KeyVersion with the decrypted key material, the version name is 'EK' (For Encryption Key)

Throws:

IOException - thrown if the key material could not be decrypted

GeneralSecurityException - thrown if the key material could not be decrypted because of a cryptographic issue.

reencryptEncryptedKey

KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv)
                                                              throws IOException,
                                                                     GeneralSecurityException

Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.

If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

NOTE: The generated key is not stored by the KeyProvider

Parameters:

ekv - The EncryptedKeyVersion containing keyVersionName and IV.

Returns:

The re-encrypted EncryptedKeyVersion.

Throws:

IOException - If the key material could not be re-encrypted.

GeneralSecurityException - If the key material could not be re-encrypted because of a cryptographic issue.

reencryptEncryptedKeys

void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)
                     throws IOException,
                            GeneralSecurityException

Batched version of KeyProviderCryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion).

For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

NOTE: The generated key is not stored by the KeyProvider

Parameters:

ekvs - List containing the EncryptedKeyVersion's

Throws:

IOException - If any EncryptedKeyVersion could not be re-encrypted

GeneralSecurityException - If any EncryptedKeyVersion could not be re-encrypted because of a cryptographic issue.