Cloudera Docs

AES encryption and decryption support

Learn about the Impala support for Advanced Encryption Standard (AES) cryptography functions, including the various supported modes, key sizes, and function behavior.

Advanced Encryption Standard (AES) is a widely-used and secure way to protect sensitive data. It works by using a secret key to scramble your data in plaintext into a form that is unreadable as ciphertext. The Impala AES implementation supports two key sizes, 128-bit and 256-bit, to meet different security requirements.

Key functions and supported modes

Impala provides aes_encrypt() and aes_decrypt() functions as entry points for encryption and decryption operations, handling the processes based on user-provided keys, AES modes, and initialization vectors (IVs). The implementation includes key length and initialization vectors vector size validation to ensure data integrity and confidentiality.

These functions use a key, an encryption mode, and a special initialization vector (IV) to keep your data secure. Impala supports the following modes to provide you flexibility:

  • Encryption Modes:
    • AES-GCM
    • AES-CTR
    • AES-CFB
  • Decryption Modes:
    • AES-GCM
    • AES-ECB
    • AES-CTR
    • AES-CFB

The following table provides information about the available modes:

Mode Description
AES-GCM (Galois/Counter Mode) This mode combines the AES block cipher with the Galois/Counter Mode (GCM) for authenticated encryption. It provides both confidentiality and integrity, making it suitable for secure communication and storage. Due to its strong security properties and efficiency, it is the default mode.
AES-ECB (Electronic Codebook) This mode is a basic mode of operation in which each block of plaintext is encrypted independently with the same key. It is included for compatibility with legacy systems and is only supported for decryption.
AES-CTR (Counter Mode) This mode turns a block cipher into a stream cipher by encrypting a counter value to produce a key stream. This key stream is then XORed with the plaintext to create the ciphertext, allowing for parallel encryption and decryption.
AES-CFB (Cipher Feedback Mode) This mode uses ciphertext feedback to create a key stream. It operates on a block-by-block basis, in which the previous ciphertext block is encrypted and then XORed with the plaintext to produce the next ciphertext block.

Compatibility and error handling

For compatibility, AES-CTR and AES-CFB are provided as fallbacks for environments for which AES-GCM might not be supported, for example, OpenSSL versions lower than 1.0.1.

If a user-provided mode is a valid member of the AES_CIPHER_MODE modes but is not supported by the internal OpenSSL library, the library default mode is chosen.

If a user provides an unsupported or invalid mode, the system returns an error.