Package org.apache.orc

Class InMemoryKeystore

java.lang.Object
org.apache.orc.InMemoryKeystore
All Implemented Interfaces:
KeyProvider
public class InMemoryKeystore extends Object implements KeyProvider
This is an in-memory implementation of KeyProvider.

The primary use of this class is for when the user doesn't have a Hadoop KMS running and wishes to use encryption. It is also useful for testing.

The local keys for this class are encrypted/decrypted using the cipher in CBC/NoPadding mode and a constant IV. Since the key is random, the constant IV is not a problem.

This class is not thread safe.

  • Field Details

    • SUPPORTS_AES_256

      public static final boolean SUPPORTS_AES_256
      Support AES 256 ?

  • Constructor Details

    • InMemoryKeystore

      public InMemoryKeystore()
      Create a new InMemoryKeystore.

    • InMemoryKeystore

      public InMemoryKeystore(Random random)
      Create an InMemoryKeystore with the given random generator. Except for testing, this must be a SecureRandom.

  • Method Details

    • getKeyNames

      public List<String> getKeyNames()
      Get the list of key names from the key provider.
      Specified by:
      getKeyNames in interface KeyProvider
      Returns:
      a list of key names

    • getCurrentKeyVersion

      public HadoopShims.KeyMetadata getCurrentKeyVersion(String keyName)
      Get the current metadata for a given key. This is used when encrypting new data.
      Specified by:
      getCurrentKeyVersion in interface KeyProvider
      Parameters:
      keyName - the name of a key
      Returns:
      metadata for the current version of the key

    • createLocalKey

      public LocalKey createLocalKey(HadoopShims.KeyMetadata key)
      Create a local key for the given key version.
      Specified by:
      createLocalKey in interface KeyProvider
      Parameters:
      key - the master key version
      Returns:
      the local key's material

    • decryptLocalKey

      public Key decryptLocalKey(HadoopShims.KeyMetadata key, byte[] encryptedKey)
      Create a local key for the given key version and initialization vector. Given a probabilistically unique iv, it will generate a unique key with the master key at the specified version. This allows the encryption to use this local key for the encryption and decryption without ever having access to the master key.

      This uses KeyProviderCryptoExtension.decryptEncryptedKey with a fixed key of the appropriate length.

      Specified by:
      decryptLocalKey in interface KeyProvider
      Parameters:
      key - the master key version
      encryptedKey - the unique initialization vector
      Returns:
      the local key's material

    • getKind

      public HadoopShims.KeyProviderKind getKind()
      Specified by:
      getKind in interface KeyProvider

    • addKey

      public InMemoryKeystore addKey(String keyName, EncryptionAlgorithm algorithm, byte[] masterKey) throws IOException
      Function that takes care of adding a new key.
      A new key can be added only if:
      • This is a new key and no prior key version exist.
      • If the key exists (has versions), then the new version to be added should be greater than the version that already exists.
      Parameters:
      keyName - Name of the key to be added
      algorithm - Algorithm used
      masterKey - Master key
      Returns:
      this
      Throws:
      IOException

    • addKey

      public InMemoryKeystore addKey(String keyName, int version, EncryptionAlgorithm algorithm, byte[] masterKey) throws IOException
      Function that takes care of adding a new key.
      A new key can be added only if:
      • This is a new key and no prior key version exist.
      • If the key exists (has versions), then the new version to be added should be greater than the version that already exists.
      Parameters:
      keyName - Name of the key to be added
      version - Key Version
      algorithm - Algorithm used
      masterKey - Master key
      Returns:
      this
      Throws:
      IOException