org.apache.iceberg.encryption

Class StandardEncryptionManager

java.lang.Object

org.apache.iceberg.encryption.StandardEncryptionManager

All Implemented Interfaces:

java.io.Serializable, EncryptionManager

public class StandardEncryptionManager
extends java.lang.Object
implements EncryptionManager

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description
StandardEncryptionManager(java.lang.String tableKeyId, int dataKeyLength, org.apache.iceberg.encryption.KeyManagementClient kmsClient)

Method Summary

Modifier and Type	Method and Description
NativeEncryptionInputFile	decrypt(EncryptedInputFile encrypted) Given an EncryptedInputFile.encryptedInputFile() representing the raw encrypted bytes from the underlying file system, and given metadata about how the file was encrypted via EncryptedInputFile.keyMetadata(), return an InputFile that returns decrypted input streams.
java.lang.Iterable<InputFile>	decrypt(java.lang.Iterable<EncryptedInputFile> encrypted) Variant of EncryptionManager.decrypt(EncryptedInputFile) that provides a sequence of files that all need to be decrypted in a single context.
NativeEncryptionOutputFile	encrypt(OutputFile plainOutput) Given a handle on an OutputFile that writes raw bytes to the underlying file system, return a bundle of an EncryptedOutputFile.encryptingOutputFile() that writes encrypted bytes to the underlying file system, and the EncryptedOutputFile.keyMetadata() that points to the encryption key that is being used to encrypt this file.
java.nio.ByteBuffer	unwrapKey(java.nio.ByteBuffer wrappedSecretKey)
java.nio.ByteBuffer	wrapKey(java.nio.ByteBuffer secretKey)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.iceberg.encryption.EncryptionManager

encrypt

Constructor Detail

StandardEncryptionManager

public StandardEncryptionManager(java.lang.String tableKeyId,
                                 int dataKeyLength,
                                 org.apache.iceberg.encryption.KeyManagementClient kmsClient)

Parameters:

tableKeyId - table encryption key id

dataKeyLength - length of data encryption key (16/24/32 bytes)

kmsClient - Client of KMS used to wrap/unwrap keys in envelope encryption

Method Detail

encrypt

public NativeEncryptionOutputFile encrypt(OutputFile plainOutput)

Description copied from interface: EncryptionManager

Given a handle on an OutputFile that writes raw bytes to the underlying file system, return a bundle of an EncryptedOutputFile.encryptingOutputFile() that writes encrypted bytes to the underlying file system, and the EncryptedOutputFile.keyMetadata() that points to the encryption key that is being used to encrypt this file.

Specified by:

encrypt in interface EncryptionManager

decrypt

public NativeEncryptionInputFile decrypt(EncryptedInputFile encrypted)

Description copied from interface: EncryptionManager

Given an EncryptedInputFile.encryptedInputFile() representing the raw encrypted bytes from the underlying file system, and given metadata about how the file was encrypted via EncryptedInputFile.keyMetadata(), return an InputFile that returns decrypted input streams.

Specified by:

decrypt in interface EncryptionManager

decrypt

public java.lang.Iterable<InputFile> decrypt(java.lang.Iterable<EncryptedInputFile> encrypted)

Description copied from interface: EncryptionManager

Variant of EncryptionManager.decrypt(EncryptedInputFile) that provides a sequence of files that all need to be decrypted in a single context.

By default this calls the single-file decryption method for each element in the iterator. Implementations can override this for a variety of optimizations. For example, an implementation can perform lookahead on the input iterator and fetch encryption keys in batch.

Specified by:

decrypt in interface EncryptionManager

wrapKey

public java.nio.ByteBuffer wrapKey(java.nio.ByteBuffer secretKey)

unwrapKey

public java.nio.ByteBuffer unwrapKey(java.nio.ByteBuffer wrappedSecretKey)