Support Questions

nlam · ‎09-18-2018

The HBase Book says this about enabling wire-encryption in HBase:

Once HBase is configured for secure RPC it is possible to optionally configure encrypted communication. To do so, add the following to the hbase-site.xml file on every client:

<property>
  <name>hbase.rpc.protection</name>
  <value>privacy</value>
</property>

What is/are the encryption algorithm(s) used when HBase wire-encryption is enabled?

nlam · ‎10-01-2018

HBase, like Hadoop, uses the Simple Authentication and Security Layer (SASL) framework implementation in the Java SE libraries to provide authentication and message integrity and privacy services.

When a cluster is secured with Kerberos and hbase.rpc.protection=privacy, SASL uses the GSS-API (Java-GSS) framework to initiate Kerberos authentication between client and server, which results in the sharing of a (symmetric) cryptographic key between client and (Region) server which can be used for message (HBase payload) encryption.

With the JCE libraries installed, the cipher/encryption type used should default to aes256-cts-hmac-sha1-96.

Cloudera Community

Support Questions

What is the wire encryption used by HBase when hbase.rpc.protection is set to privacy?