Encrypts Parquet modules (footer, column metadata, data pages) using the keys and algorithm specified in an EncryptionConfig. More...

#include <pme.hpp>

Public Member Functions
	FileEncryptor (const EncryptionConfig &config)
	Construct an encryptor from an encryption configuration.

expected< std::vector< uint8_t > >	encrypt_footer (const uint8_t *footer_data, size_t size) const
	Encrypt the serialized FileMetaData (footer) with AES-GCM.

expected< std::vector< uint8_t > >	encrypt_column_page (const uint8_t *page_data, size_t size, const std::string &column_name, int32_t row_group_ordinal, int32_t page_ordinal) const
	Encrypt a column data page.

expected< std::vector< uint8_t > >	encrypt_column_metadata (const uint8_t *metadata, size_t size, const std::string &column_name) const
	Encrypt serialized ColumnMetaData with AES-GCM (always authenticated).

expected< std::vector< uint8_t > >	encrypt_dict_page (const uint8_t *page_data, size_t size, const std::string &column_name, int32_t row_group_ordinal) const
	Encrypt a dictionary page with the column's encryption key.

expected< std::vector< uint8_t > >	encrypt_data_page_header (const uint8_t *header_data, size_t size, const std::string &column_name, int32_t row_group_ordinal, int32_t page_ordinal) const
	Encrypt a data page header (always AES-GCM authenticated).

expected< std::vector< uint8_t > >	encrypt_column_meta_header (const uint8_t *header_data, size_t size, const std::string &column_name) const
	Encrypt a column metadata header (always AES-GCM authenticated).

expected< std::vector< uint8_t > >	sign_footer (const uint8_t *footer_data, size_t size) const
	Sign the plaintext footer with HMAC-SHA256 (signed plaintext footer mode).

expected< std::vector< std::pair< std::string, std::vector< uint8_t > > > >	wrap_keys () const
	Wrap all DEKs under their KEKs using the configured KMS client.

FileEncryptionProperties	file_properties () const
	Get FileEncryptionProperties for embedding in FileMetaData.

EncryptionKeyMetadata	column_key_metadata (const std::string &column_name) const
	Get key metadata for a column (stored in ColumnChunk.column_crypto_metadata).

bool	is_column_encrypted (const std::string &column_name) const
	Check if a column has an encryption key (specific or default).

const EncryptionConfig &	config () const
	Access the underlying EncryptionConfig.

Detailed Description

Encrypts Parquet modules (footer, column metadata, data pages) using the keys and algorithm specified in an EncryptionConfig.

Usage: EncryptionConfig cfg; cfg.footer_key = ...; // 32-byte key cfg.algorithm = EncryptionAlgorithm::AES_GCM_CTR_V1; cfg.aad_prefix = "file://my_table/part-00000.parquet";

FileEncryptor enc(cfg); auto ct_footer = enc.encrypt_footer(footer_bytes, footer_size); auto ct_page = enc.encrypt_column_page(page_bytes, page_size, "price", 0, 0);

Definition at line 196 of file pme.hpp.

Constructor & Destructor Documentation

◆ FileEncryptor()

signet::forge::crypto::FileEncryptor::FileEncryptor ( const EncryptionConfig & config )

inlineexplicit

Construct an encryptor from an encryption configuration.

Parameters

config Configuration specifying keys, algorithm, and AAD prefix.

Definition at line 200 of file pme.hpp.

Member Function Documentation

◆ column_key_metadata()

EncryptionKeyMetadata signet::forge::crypto::FileEncryptor::column_key_metadata ( const std::string & column_name ) const

inline

Get key metadata for a column (stored in ColumnChunk.column_crypto_metadata).

Parameters

column_name Column path to look up.

Returns: Metadata with key_mode, key_material (INTERNAL), or key_id (EXTERNAL).

Definition at line 613 of file pme.hpp.

◆ config()

const EncryptionConfig & signet::forge::crypto::FileEncryptor::config ( ) const

inline

Access the underlying EncryptionConfig.

Returns: Const reference to the configuration.

Definition at line 647 of file pme.hpp.

◆ encrypt_column_meta_header()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::encrypt_column_meta_header	(	const uint8_t *	header_data,
		size_t	size,
		const std::string &	column_name
	)		const

inline

Encrypt a column metadata header (always AES-GCM authenticated).

Parameters

header_data	Pointer to the serialized column metadata header.
size	Header size in bytes.
column_name	Column path for key resolution and AAD.

Returns: Encrypted header, or passthrough if column has no key.

Definition at line 463 of file pme.hpp.

◆ encrypt_column_metadata()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::encrypt_column_metadata	(	const uint8_t *	metadata,
		size_t	size,
		const std::string &	column_name
	)		const

inline

Encrypt serialized ColumnMetaData with AES-GCM (always authenticated).

Parameters

metadata	Pointer to the serialized column metadata bytes.
size	Metadata size in bytes.
column_name	Column path for key resolution and AAD.

Returns: Encrypted metadata, or passthrough if column has no key.

Definition at line 320 of file pme.hpp.

◆ encrypt_column_page()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::encrypt_column_page	(	const uint8_t *	page_data,
		size_t	size,
		const std::string &	column_name,
		int32_t	row_group_ordinal,
		int32_t	page_ordinal
	)		const

inline

Encrypt a column data page.

Uses AES-GCM (AES_GCM_V1) or AES-CTR (AES_GCM_CTR_V1) depending on the algorithm setting. AAD binds the ciphertext to its file location.

Parameters

page_data	Pointer to the page data bytes.
size	Page data size in bytes.
column_name	Column path for key resolution and AAD.
row_group_ordinal	Row group index (for AAD binding).
page_ordinal	Page index within the row group (for AAD binding).

Returns: Encrypted page, or passthrough if column has no key.

Definition at line 269 of file pme.hpp.

◆ encrypt_data_page_header()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::encrypt_data_page_header	(	const uint8_t *	header_data,
		size_t	size,
		const std::string &	column_name,
		int32_t	row_group_ordinal,
		int32_t	page_ordinal
	)		const

inline

Encrypt a data page header (always AES-GCM authenticated).

Page headers contain min/max statistics. In AES_GCM_CTR_V1 mode, page data uses CTR but headers must use GCM to prevent statistics leakage.

Parameters

header_data	Pointer to the serialized page header bytes.
size	Header size in bytes.
column_name	Column path for key resolution and AAD.
row_group_ordinal	Row group index (for AAD binding).
page_ordinal	Page index within the row group (for AAD binding).

Returns: Encrypted page header, or passthrough if column has no key.

Definition at line 422 of file pme.hpp.

◆ encrypt_dict_page()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::encrypt_dict_page	(	const uint8_t *	page_data,
		size_t	size,
		const std::string &	column_name,
		int32_t	row_group_ordinal
	)		const

inline

Encrypt a dictionary page with the column's encryption key.

Dictionary pages contain all distinct values for dictionary-encoded columns. If left unencrypted, they leak the value domain even when data pages are encrypted.

Parameters

page_data	Pointer to the dictionary page data bytes.
size	Page data size in bytes.
column_name	Column path for key resolution and AAD.
row_group_ordinal	Row group index (for AAD binding).

Returns: Encrypted dictionary page, or passthrough if column has no key.

Definition at line 368 of file pme.hpp.

◆ encrypt_footer()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::encrypt_footer	(	const uint8_t *	footer_data,
		size_t	size
	)		const

inline

Encrypt the serialized FileMetaData (footer) with AES-GCM.

Always uses authenticated encryption regardless of the algorithm setting.

Parameters

footer_data	Pointer to the serialized footer bytes.
size	Footer size in bytes.

Returns: Encrypted footer: [iv_size(1)] [iv(12)] [ciphertext + GCM tag].

Definition at line 225 of file pme.hpp.

◆ file_properties()

FileEncryptionProperties signet::forge::crypto::FileEncryptor::file_properties ( ) const

inline

Get FileEncryptionProperties for embedding in FileMetaData.

Returns: Properties struct with algorithm, footer-encrypted flag, and AAD prefix.

Definition at line 602 of file pme.hpp.

◆ is_column_encrypted()

bool signet::forge::crypto::FileEncryptor::is_column_encrypted ( const std::string & column_name ) const

inline

Check if a column has an encryption key (specific or default).

Parameters

column_name Column path to check.

Returns: True if the column will be encrypted.

Definition at line 641 of file pme.hpp.

◆ sign_footer()

expected< std::vector< uint8_t > > signet::forge::crypto::FileEncryptor::sign_footer	(	const uint8_t *	footer_data,
		size_t	size
	)		const

inline

Sign the plaintext footer with HMAC-SHA256 (signed plaintext footer mode).

The footer remains readable but any modification will invalidate the signature.

Parameters

footer_data	Pointer to the serialized footer bytes.
size	Footer size in bytes.

Returns: Footer data with 32-byte HMAC signature appended.

Definition at line 510 of file pme.hpp.

◆ wrap_keys()

expected< std::vector< std::pair< std::string, std::vector< uint8_t > > > > signet::forge::crypto::FileEncryptor::wrap_keys ( ) const

inline

Wrap all DEKs under their KEKs using the configured KMS client.

Returns: Map of key_id → wrapped DEK bytes, or error if KMS unavailable.

Definition at line 558 of file pme.hpp.

The documentation for this class was generated from the following file:

include/signet/crypto/pme.hpp

Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ FileEncryptor()

Member Function Documentation

◆ column_key_metadata()

◆ config()

◆ encrypt_column_meta_header()

◆ encrypt_column_metadata()

◆ encrypt_column_page()

◆ encrypt_data_page_header()

◆ encrypt_dict_page()

◆ encrypt_footer()

◆ file_properties()

◆ is_column_encrypted()

◆ sign_footer()

◆ wrap_keys()