Cloudera Docs

AES encryption and decryption support

This topic describes Impala's support for Advanced Encryption Standard (AES) crypto functions, including the various supported modes, key sizes, and function behavior.

Advanced Encryption Standard (AES) is a widely-used and secure way to protect sensitive data. It works by using a secret key to scramble your data (plaintext) into a form that's unreadable (ciphertext). Impala's AES implementation supports two key sizes, 128-bit and 256-bit, to meet different security requirements.

Key functions and supported modes

Impala provides aes_encrypt() and aes_decrypt() functions as entry points for encryption and decryption operations, handling the processes based on user-provided keys, AES modes, and initialization vectors (IVs). The implementation includes key length and initialization vectors vector size validation to ensure data integrity and confidentiality.

These functions use a key, an encryption mode, and a special initialization vector (IV) to keep your data secure. Impala supports various modes to give you flexibility.

  • Encryption Modes:
    • AES-GCM
    • AES-CTR
    • AES-CFB
  • Decryption Modes:
    • AES-GCM
    • AES-ECB
    • AES-CTR
    • AES-CFB

You can refer to the following table to get information about the available modes:

Mode Description
AES-GCM (Galois/Counter Mode) This mode combines the AES block cipher with the Galois/Counter Mode (GCM) for authenticated encryption. It provides both confidentiality and integrity, making it suitable for secure communication and storage. Due to its strong security properties and efficiency, it is the default mode.
AES-ECB (Electronic Codebook) This is a basic mode of operation where each block of plaintext is encrypted independently with the same key. It is included for compatibility with legacy systems and is only supported for decryption.
AES-CTR (Counter Mode) This mode turns a block cipher into a stream cipher by encrypting a counter value to produce a key stream. This key stream is then XORed with the plaintext to create the ciphertext, allowing for parallel encryption and decryption.
AES-CFB (Cipher Feedback Mode) This mode uses ciphertext feedback to create a key stream. It operates on a block-by-block basis, where the previous ciphertext block is encrypted and then XORed with the plaintext to produce the next ciphertext block.

Compatibility and error handling

For compatibility, AES-CTR and AES-CFB are provided as fallbacks for environments where AES-GCM might not be supported (for example, OpenSSL versions prior to 1.0.1).

If a user-provided mode is a valid member of AES_CIPHER_MODE but is not supported by the internal OpenSSL library, the library's default mode is chosen.

If a user provides an unsupported or invalid mode, the system returns an error.