[
https://issues.apache.org/jira/browse/HBASE-10062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-10062:
-----------------------------------
Description:
After HBASE-7544, if an HFile belongs to an encrypted family, it is encrypted
on a per block basis. The encrypted blocks include the following header:
{noformat}
// +--------------------------+
// | vint plaintext length |
// +--------------------------+
// | vint iv length |
// +--------------------------+
// | iv data ... |
// +--------------------------+
// | encrypted block data ... |
// +--------------------------+
{noformat}
The reason for storing the plaintext length is so we can create an decryption
stream over the encrypted block data and, no matter the internal details of the
crypto algorithm (whether it adds padding, etc.) after reading the expected
plaintext bytes we know the reader is finished. However my colleague Jerry Chen
pointed out today this construction mandates the block be processed exactly
that way. Storing and using the encrypted data length instead could provide
more implementation flexibility down the road.
was:
After HBASE-7544, if an HFile belongs to an encrypted family, it is encrypted
on a per block basis. The encrypted blocks include the following header:
{noformat}
// +--------------------------+
// | vint plaintext length |
// +--------------------------+
// | vint iv length |
// +--------------------------+
// | iv data ... |
// +--------------------------+
// | encrypted block data ... |
// +--------------------------+
{noformat}
The reason for storing the plaintext length is so we can create an encryption
stream over the encrypted block data and, no matter the internal details of the
crypto algorithm (whether it adds padding, etc.) after reading the expected
plaintext bytes we know the reader is finished. However my colleague Jerry Chen
pointed out today this construction mandates the block be processed exactly
that way. Storing and using the encrypted data length instead could provide
more implementation flexibility down the road.
> Store the encrypted data length in the block encryption header instead of
> plaintext length
> ------------------------------------------------------------------------------------------
>
> Key: HBASE-10062
> URL: https://issues.apache.org/jira/browse/HBASE-10062
> Project: HBase
> Issue Type: Improvement
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Priority: Minor
> Fix For: 0.98.0
>
>
> After HBASE-7544, if an HFile belongs to an encrypted family, it is encrypted
> on a per block basis. The encrypted blocks include the following header:
> {noformat}
> // +--------------------------+
> // | vint plaintext length |
> // +--------------------------+
> // | vint iv length |
> // +--------------------------+
> // | iv data ... |
> // +--------------------------+
> // | encrypted block data ... |
> // +--------------------------+
> {noformat}
> The reason for storing the plaintext length is so we can create an decryption
> stream over the encrypted block data and, no matter the internal details of
> the crypto algorithm (whether it adds padding, etc.) after reading the
> expected plaintext bytes we know the reader is finished. However my colleague
> Jerry Chen pointed out today this construction mandates the block be
> processed exactly that way. Storing and using the encrypted data length
> instead could provide more implementation flexibility down the road.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
