Support Questions
Find answers, ask questions, and share your expertise

What is the wire encryption used by HBase when hbase.rpc.protection is set to privacy?

Cloudera Employee

The HBase Book says this about enabling wire-encryption in HBase:

Once HBase is configured for secure RPC it is possible to optionally configure encrypted communication. To do so, add the following to the hbase-site.xml file on every client:

<property>
  <name>hbase.rpc.protection</name>
  <value>privacy</value>
</property>

What is/are the encryption algorithm(s) used when HBase wire-encryption is enabled?

1 REPLY 1

Cloudera Employee

HBase, like Hadoop, uses the Simple Authentication and Security Layer (SASL) framework implementation in the Java SE libraries to provide authentication and message integrity and privacy services.

When a cluster is secured with Kerberos and hbase.rpc.protection=privacy, SASL uses the GSS-API (Java-GSS) framework to initiate Kerberos authentication between client and server, which results in the sharing of a (symmetric) cryptographic key between client and (Region) server which can be used for message (HBase payload) encryption.

With the JCE libraries installed, the cipher/encryption type used should default to aes256-cts-hmac-sha1-96.