Signet Forge 0.1.0
C++20 Parquet library with AI-native extensions
 DEMO
Loading...
Searching...
No Matches
Public Types | Public Attributes | List of all members
signet::forge::crypto::EncryptionConfig Struct Reference

Top-level configuration structure that drives FileEncryptor / FileDecryptor. More...

#include <key_metadata.hpp>

Public Types

enum class  AadFormat : int32_t { LEGACY = 0 , SPEC_BINARY = 1 }
 AAD construction format. More...
 

Public Attributes

EncryptionAlgorithm algorithm = EncryptionAlgorithm::AES_GCM_CTR_V1
 Encryption algorithm (GCM everywhere, or GCM-footer + CTR-columns).
 
std::vector< uint8_t > footer_key
 32-byte AES-256 key for encrypting the Parquet footer (FileMetaData).
 
std::string footer_key_id
 KMS key identifier for the footer key (EXTERNAL mode).
 
bool encrypt_footer = true
 If true, the footer is encrypted.
 
std::vector< ColumnKeySpeccolumn_keys
 Per-column key specifications. Columns listed here get their own key.
 
std::vector< uint8_t > default_column_key
 Default column key (32 bytes).
 
std::string default_column_key_id
 KMS key identifier for the default column key (EXTERNAL mode).
 
KeyMode key_mode = KeyMode::INTERNAL
 INTERNAL: keys stored in file metadata. EXTERNAL: KMS references only.
 
std::shared_ptr< IKmsClientkms_client
 Optional KMS client for DEK/KEK key wrapping (EXTERNAL key mode).
 
std::string aad_prefix
 AAD prefix – typically a file identifier or URI.
 
AadFormat aad_format = AadFormat::LEGACY
 

Detailed Description

Top-level configuration structure that drives FileEncryptor / FileDecryptor.

To encrypt a Parquet file, populate this structure and pass it to FileEncryptor. To decrypt, populate it with the same keys/KMS references and pass it to FileDecryptor.

Definition at line 157 of file key_metadata.hpp.

Member Enumeration Documentation

◆ AadFormat

enum class signet::forge::crypto::EncryptionConfig::AadFormat : int32_t
strong

AAD construction format.

LEGACY: aad_prefix + '\0' + module_type_byte + '\0' + extra (Signet v1 format — string concatenation with null separators)

SPEC_BINARY: aad_file_unique || module_type (1 byte) || row_group_ordinal (2 bytes LE) || column_ordinal (2 bytes LE) || page_ordinal (2 bytes LE) (Parquet PME spec format — fixed-width binary ordinals, compatible with parquet-mr and pyarrow)

Default is LEGACY for backward compatibility with existing encrypted files. Set to SPEC_BINARY for cross-implementation interoperability.

Enumerator
LEGACY 

Signet v1: null-separated string AAD.

SPEC_BINARY 

Parquet PME spec: fixed-width binary AAD.

Definition at line 226 of file key_metadata.hpp.

Member Data Documentation

◆ aad_format

AadFormat signet::forge::crypto::EncryptionConfig::aad_format = AadFormat::LEGACY

Definition at line 230 of file key_metadata.hpp.

◆ aad_prefix

std::string signet::forge::crypto::EncryptionConfig::aad_prefix

AAD prefix – typically a file identifier or URI.

Bound into every GCM authentication tag so ciphertext cannot be transplanted between files without detection.

Definition at line 208 of file key_metadata.hpp.

◆ algorithm

EncryptionAlgorithm signet::forge::crypto::EncryptionConfig::algorithm = EncryptionAlgorithm::AES_GCM_CTR_V1

Encryption algorithm (GCM everywhere, or GCM-footer + CTR-columns).

Definition at line 159 of file key_metadata.hpp.

◆ column_keys

std::vector<ColumnKeySpec> signet::forge::crypto::EncryptionConfig::column_keys

Per-column key specifications. Columns listed here get their own key.

Definition at line 176 of file key_metadata.hpp.

◆ default_column_key

std::vector<uint8_t> signet::forge::crypto::EncryptionConfig::default_column_key

Default column key (32 bytes).

Used for any column not explicitly listed in column_keys. If empty and a column has no specific key, that column's data is stored unencrypted.

Definition at line 181 of file key_metadata.hpp.

◆ default_column_key_id

std::string signet::forge::crypto::EncryptionConfig::default_column_key_id

KMS key identifier for the default column key (EXTERNAL mode).

Definition at line 184 of file key_metadata.hpp.

◆ encrypt_footer

bool signet::forge::crypto::EncryptionConfig::encrypt_footer = true

If true, the footer is encrypted.

If false, the footer is stored in plaintext with an HMAC signature for integrity (signed plaintext footer).

Definition at line 171 of file key_metadata.hpp.

◆ footer_key

std::vector<uint8_t> signet::forge::crypto::EncryptionConfig::footer_key

32-byte AES-256 key for encrypting the Parquet footer (FileMetaData).

Definition at line 164 of file key_metadata.hpp.

◆ footer_key_id

std::string signet::forge::crypto::EncryptionConfig::footer_key_id

KMS key identifier for the footer key (EXTERNAL mode).

Definition at line 167 of file key_metadata.hpp.

◆ key_mode

KeyMode signet::forge::crypto::EncryptionConfig::key_mode = KeyMode::INTERNAL

INTERNAL: keys stored in file metadata. EXTERNAL: KMS references only.

Definition at line 189 of file key_metadata.hpp.

◆ kms_client

std::shared_ptr<IKmsClient> signet::forge::crypto::EncryptionConfig::kms_client

Optional KMS client for DEK/KEK key wrapping (EXTERNAL key mode).

When set, FileEncryptor::wrap_keys() wraps all DEKs under their respective KEKs, and FileDecryptor::unwrap_keys() recovers DEKs from the wrapped blobs stored in file metadata.

Must implement IKmsClient::wrap_key() and unwrap_key(). Not required for INTERNAL key mode (keys stored in plaintext).

Definition at line 201 of file key_metadata.hpp.

The documentation for this struct was generated from the following file: