ggershinsky commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1718009497
##########
core/src/main/java/org/apache/iceberg/encryption/StandardEncryptionManager.java:
##########
@@ -20,28 +20,46 @@
import java.nio.ByteBuffer;
import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.Map;
+import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.TableProperties;
import org.apache.iceberg.io.InputFile;
import org.apache.iceberg.io.OutputFile;
import org.apache.iceberg.io.SeekableInputStream;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.collect.Iterables;
+import org.apache.iceberg.relocated.com.google.common.collect.Maps;
import org.apache.iceberg.util.ByteBuffers;
public class StandardEncryptionManager implements EncryptionManager {
+ public static final int KEK_ID_LENGTH = 16;
+
private final transient KeyManagementClient kmsClient;
private final String tableKeyId;
private final int dataKeyLength;
-
+ private final long kekCacheTimeout;
+ private Map<String, KeyEncryptionKey> kekCache;
private transient volatile SecureRandom lazyRNG = null;
+ /**
+ * @deprecated will be removed in 2.0.0. use {@link
#StandardEncryptionManager(String, int,
+ * KeyManagementClient, long)} instead.
+ */
+ @Deprecated
+ public StandardEncryptionManager(
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ this(tableKeyId, dataKeyLength, kmsClient,
CatalogProperties.KEK_CACHE_TIMEOUT_MS_DEFAULT);
+ }
+
/**
* @param tableKeyId table encryption key id
* @param dataKeyLength length of data encryption key (16/24/32 bytes)
* @param kmsClient Client of KMS used to wrap/unwrap keys in envelope
encryption
+ * @param kekCacheTimeout timeout of kek (key encryption key) cache entries
*/
public StandardEncryptionManager(
- String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient,
long kekCacheTimeout) {
Review Comment:
Actually, we have an explicit NIST recommendation for this in
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
_"The recommended originator-usage period for a symmetric key-wrapping
key that is used to wrap very large numbers of keys over a short period of
time is on the
order of a day or a week. If a relatively small number of keys are to be
wrapped under a
key-wrapping key, the originator-usage period of the key-wrapping key could
be up to
two years. "_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
