We need SSE for Hive running over S3, but cannot use SSE-S3 because we cannot have our encryption keys accessible to a third party even if it's Amazon. How can we achieve this?
(1) Ranger using SSE-C would be ideal but Ranger does not support this, and AFAIK there are no immediate plans to correct this shortcoming. Any chance I'm wrong about this?
(2) SSE-KMS has an "envelope key" (CMC) that encrypts the master keys. If we could somehow control just the CMC from within Horton, that would probably be sufficient, as the keys managed by Amazon would be encrypted.
(3) Third party product that would handle key-management and/or encryption. Does anything fill this niche?