Skip to main content

High Level Steps

These are the initial steps in installing and configuring PK Protect Dynamic Decryption. These steps are independent of the type of program you are using to decrypt (Java, Scala Spark, or Hive).

Ignore these steps when using com.dataguise.decrypterlib.hive.udf.DgDecrypter6 for dynamic decryption on Hiveserver2 with Beeline, Pyspark, or Apache Drill.

  1. Place the DgDecrypter.jar library at a location that is accessible from the Decyrpter user’s program. Ensure the user has read access. The library is typically found in the ontheflydecryption folder.

  2. Update the** Make sure the properties file points to the correct Keytore and ACL locations. The file is in the same location as the DgDecrypter.jar. The keystore is typically located in

    Location: /opt/Dataguise/DgSecure/IDPs/HDFSIDP/expandedArchive/WEB-INF/classes/com/dataguise/hadoop/util/keystoresun

    -Possible settings for the ACL locations: “Controller”, “HDFS”, and “LocalFS”. In the case of the Direct Java API (non-MapReduce), only the Controller and Local File System options are valid.

  3. Review the configurations in the properties files prior in order ensure desired decryption functionality. Editable properties in the file are as follows:

    1. passBlankContent: This property determines the returned value of encrypted data that is not within the User’s access rights. The value of this property can be set to either “yes” or “no”. When set to yes, dynamic decryption returns a null value for encrypted values to which the user does not have access rights. When this value is set to no, encrypted values for which the user does not access simply appear in their encrypted format.

    2. em.seed: This property sets the encryption marker seed value. The encryption marker allows accurate data decryption. The value should be the same as the encryption marker used to encrypt the data and should be identical to the em.seed property in your HDFSIDPConfig property file.

    3. ACL fetching: Dynamic Decryption requires an access control list, which is obtained either from the controller, the cluster, or local file. The ACL can be found in either the controller or in HDFS by default. If you would like to use 

    4. Acl.source: This value can be set to either “HDFS”, “localFS”, or “controller”. When set to HDFS, DgDecrypter grabs the ACL from “aclFileHDFSlocation”. When set to localFS, DgDecrypter grabs the ACL from aclFileLocalFSLocation. When set to Controller, DgDecrypter grabs the ACL from “controller.url”. Typically, the ACL is fetched from the controller.

      1. aclFileHDFSlocation: Location of the HDFS ACL file.

      2. controller.url: Location of the DSM Administrator

      3. aclFileLocalFSLocation: Location of the local ACL file (It must be copied manually from either the controller or HDFS).

    5. Bouncy Castle jar locations: Enter the file path for each bouncycastle jar used to encrypt the files that you want to decrypt. The bouncycastle jars you need are:

      1. bouncycastle.bcprov

      2. bouncycastle.bcpg

    6. keystore.fullpath: This property should point to the correct path/file in the local file system for the keystore. By default, the path is:


    7. Debug.mode: This property can be set to either “true” or “false”. Set to true if attempting to resolve an error.

    8. ClusterID: In PK Protect, access controls are governed by cluster. This property points DgDecrypter to grab the ACL from the desired cluster.

      pre.hook.params.location.path=/dataguise$/tmp/ or to any path in HDFS where the ‘hive’ user has write access.

    9. Enable.bc.provider: This property can be set to either “false” or “true”. When set to false, Java keystore is used to encrypt dynamic decryption request. When set to true, Bouncycastle is used.
      **This property only applies to Hortonworks 2.1.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.