org.apache.iceberg.encryption

Interface EncryptionManager

All Superinterfaces:

java.io.Serializable

All Known Implementing Classes:

PlaintextEncryptionManager, StandardEncryptionManager

public interface EncryptionManager
extends java.io.Serializable

Module for encrypting and decrypting table data files.

This must be serializable because an instance may be instantiated in one place and sent across the wire in some Iceberg integrations, notably Spark.

Method Summary

Modifier and Type	Method and Description
InputFile	decrypt(EncryptedInputFile encrypted) Given an EncryptedInputFile.encryptedInputFile() representing the raw encrypted bytes from the underlying file system, and given metadata about how the file was encrypted via EncryptedInputFile.keyMetadata(), return an InputFile that returns decrypted input streams.
default java.lang.Iterable<InputFile>	decrypt(java.lang.Iterable<EncryptedInputFile> encrypted) Variant of decrypt(EncryptedInputFile) that provides a sequence of files that all need to be decrypted in a single context.
default java.lang.Iterable<EncryptedOutputFile>	encrypt(java.lang.Iterable<OutputFile> rawOutput) Variant of encrypt(OutputFile) that provides a sequence of files that all need to be encrypted in a single context.
EncryptedOutputFile	encrypt(OutputFile rawOutput) Given a handle on an OutputFile that writes raw bytes to the underlying file system, return a bundle of an EncryptedOutputFile.encryptingOutputFile() that writes encrypted bytes to the underlying file system, and the EncryptedOutputFile.keyMetadata() that points to the encryption key that is being used to encrypt this file.

Method Detail

decrypt

InputFile decrypt(EncryptedInputFile encrypted)

Given an EncryptedInputFile.encryptedInputFile() representing the raw encrypted bytes from the underlying file system, and given metadata about how the file was encrypted via EncryptedInputFile.keyMetadata(), return an InputFile that returns decrypted input streams.

decrypt

default java.lang.Iterable<InputFile> decrypt(java.lang.Iterable<EncryptedInputFile> encrypted)

Variant of decrypt(EncryptedInputFile) that provides a sequence of files that all need to be decrypted in a single context.

By default this calls the single-file decryption method for each element in the iterator. Implementations can override this for a variety of optimizations. For example, an implementation can perform lookahead on the input iterator and fetch encryption keys in batch.

encrypt

EncryptedOutputFile encrypt(OutputFile rawOutput)

Given a handle on an OutputFile that writes raw bytes to the underlying file system, return a bundle of an EncryptedOutputFile.encryptingOutputFile() that writes encrypted bytes to the underlying file system, and the EncryptedOutputFile.keyMetadata() that points to the encryption key that is being used to encrypt this file.

encrypt

default java.lang.Iterable<EncryptedOutputFile> encrypt(java.lang.Iterable<OutputFile> rawOutput)

Variant of encrypt(OutputFile) that provides a sequence of files that all need to be encrypted in a single context.

By default this calls the single-file encryption method for each element in the iterator. Implementations can override this for a variety of optimizations. For example, an implementation can perform lookahead on the input iterator and fetch encryption keys in batch.