[
https://issues.apache.org/jira/browse/HBASE-25181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on HBASE-25181 started by Mate Szalay-Beko.
------------------------------------------------
> Configure hash algorithm in wrapped encryption keys
> ---------------------------------------------------
>
> Key: HBASE-25181
> URL: https://issues.apache.org/jira/browse/HBASE-25181
> Project: HBase
> Issue Type: Improvement
> Affects Versions: 2.3.2
> Reporter: Mate Szalay-Beko
> Assignee: Mate Szalay-Beko
> Priority: Major
>
> Currently we are using MD5 hash algorithm to store a hash for encryption
> keys. This hash is needed to verify the secret key of the subject. (e.g.
> making sure that the same secrey key is used during encrypted HFile read and
> write). The MD5 algorithm is considered weak, and can not be used in some
> (e.g. FIPS compliant) clusters.
> In the patch I plan to:
> * introduce a backward compatible way of specifying the hash algorithm. This
> enable us to use newer and more secure hash algorithms like SHA-384 or
> SHA-512 (which are FIPS compliant).
> * change the algoritm used by the hbase shell to generate secure keys for
> column family encryption (this is only used for testing schema in the shell,
> the proper data keys are generated by the Java API, see e.g. HBASE-10951)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
