diff --git hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java index 8dffb66..35935d9 100644 --- hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java +++ hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java @@ -23,9 +23,12 @@ import java.security.DigestException; import java.security.Key; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.io.IOUtils; @@ -200,6 +203,52 @@ public final class Encryption { } /** + * Return a 128 bit key derived from the concatenation of the supplied + * arguments using PBKDF2WithHmacSHA1 at 10,000 iterations. + * + */ + public static byte[] pbkdf128(String... args) { + byte[] salt = new byte[128]; + Bytes.random(salt); + StringBuilder sb = new StringBuilder(); + for (String s: args) { + sb.append(s); + } + PBEKeySpec spec = new PBEKeySpec(sb.toString().toCharArray(), salt, 10000, 128); + try { + return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1") + .generateSecret(spec).getEncoded(); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } catch (InvalidKeySpecException e) { + throw new RuntimeException(e); + } + } + + /** + * Return a 128 bit key derived from the concatenation of the supplied + * arguments using PBKDF2WithHmacSHA1 at 10,000 iterations. + * + */ + public static byte[] pbkdf128(byte[]... args) { + byte[] salt = new byte[128]; + Bytes.random(salt); + StringBuilder sb = new StringBuilder(); + for (byte[] b: args) { + sb.append(b); + } + PBEKeySpec spec = new PBEKeySpec(sb.toString().toCharArray(), salt, 10000, 128); + try { + return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1") + .generateSecret(spec).getEncoded(); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } catch (InvalidKeySpecException e) { + throw new RuntimeException(e); + } + } + + /** * Encrypt a block of plaintext *
* The encryptor's state will be finalized. It should be reinitialized or diff --git hbase-shell/src/main/ruby/hbase/admin.rb hbase-shell/src/main/ruby/hbase/admin.rb index 0e517fb..5cb7903 100644 --- hbase-shell/src/main/ruby/hbase/admin.rb +++ hbase-shell/src/main/ruby/hbase/admin.rb @@ -640,7 +640,7 @@ module Hbase algorithm = arg.delete(org.apache.hadoop.hbase.HColumnDescriptor::ENCRYPTION).upcase family.setEncryptionType(algorithm) if arg.include?(org.apache.hadoop.hbase.HColumnDescriptor::ENCRYPTION_KEY) - key = org.apache.hadoop.hbase.io.crypto.Encryption.hash128( + key = org.apache.hadoop.hbase.io.crypto.Encryption.pbkdf128( arg.delete(org.apache.hadoop.hbase.HColumnDescriptor::ENCRYPTION_KEY)) family.setEncryptionKey(org.apache.hadoop.hbase.security.EncryptionUtil.wrapKey(@conf, key, algorithm))