Mate Szalay-Beko created HBASE-25263:
----------------------------------------
Summary: Change encryption key generation algorithm used in the
HBase shell
Key: HBASE-25263
URL: https://issues.apache.org/jira/browse/HBASE-25263
Project: HBase
Issue Type: Improvement
Components: encryption, shell
Reporter: Mate Szalay-Beko
Assignee: Mate Szalay-Beko
This ticket is a follow-up of HBASE-25181, where several issues were discussed
on the PR:
1. Currently we use `PBKDF2WithHmacSHA1` key generation algorithm to generate a
secret key for HFile / WalFile encryption, when the user is defining a string
encryption key in the hbase shell. This algorithm is not secure enough and not
allowed in certain environments (like on FIPS compliant clusters). Our plan is
to change it to e.g. `PBKDF2WithHmacSHA384`. If this would break backward
compatibility, then we should make this algorithm configurable.
2. In `EncryptionUtil.createEncryptionContext` the various encryption config
checks should throw IllegalStateExceptions instead of RuntimeExceptions.
3. Test cases in `TestEncryptionTest.java` should be broken down into smaller
tests.
4. `TestEncryptionDisabled.java` should use `ExpectedException` JUnit rule to
validate exceptions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
