Re: [PR] Spec additions for encryption [iceberg]

Sun, 23 Feb 2025 08:25:55 -0800 


smaheshwar-pltr commented on code in PR #12162:
URL: https://github.com/apache/iceberg/pull/12162#discussion_r1966828077


##########
format/spec.md:
##########
@@ -975,6 +978,23 @@ The unified partition type looks like `Struct<field#1, 
field#2, field#3>`.
 and then the table has evolved into `spec#1` which has just one field 
`{field#2}`.
 The unified partition type looks like `Struct<field#1, field#2>`.
 
+#### Encryption Keys
+
+Encryption keys and metadata required for decrypting the manifest list files 
in encrypted tables.
+There are two types of entries:
+1. `key-metadata`: serialized key-metadata of the encrypted manifest list 
files. The key-metadata objects include encryption keys and other fields 
required to decrypt a file. Since these objects are sensitive, the serialized 
key-metadata byte arrays are encrypted by another key. The encryption is done 
via the integrity-preserving AES GCM cipher, using the snapshot ID as the AAD 
(additional authentication data) parameter. The result of the encryption is 
converted to a string via base64 encoding.

Review Comment:
   Could use "key metadata" (without the dash) outside of the type but not sure 
here, something like:
   ```suggestion
   1. `key-metadata`: serialized key metadata of an encrypted manifest list 
file. Key metadata includes encryption keys and other fields required to 
decrypt a file. As they are sensitive, serialized key metadata byte arrays are 
encrypted by another key. This encryption is achieved via the 
integrity-preserving AES GCM cipher, using the snapshot ID as the AAD 
(additional authentication data) parameter. The result of the encryption is 
converted to a string via base64 encoding.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to