pyarrow.parquet.encryption.CryptoFactory

class pyarrow.parquet.encryption.CryptoFactory(kms_client_factory)

Bases: _Weakrefable

A factory that produces the low-level FileEncryptionProperties and FileDecryptionProperties objects, from the high-level parameters.

__init__()

Create CryptoFactory.

Parameters:

kms_client_factorya callable() that accepts KmsConnectionConfig

and returns a KmsClient

Methods

__init__	Create CryptoFactory.
file_decryption_properties(self, ...[, ...])	Create file decryption properties.
file_encryption_properties(self, ...[, ...])	Create file encryption properties.
remove_cache_entries_for_all_tokens(self)
remove_cache_entries_for_token(self, ...)
rotate_master_keys(self, ...[, ...])	Rotates master encryption keys for a Parquet file that uses external key material.

file_decryption_properties(self, KmsConnectionConfig kms_connection_config, DecryptionConfiguration decryption_config=None, parquet_file_path=None, FileSystem filesystem=None)

Create file decryption properties.

Parameters:

kms_connection_configKmsConnectionConfig

Configuration of connection to KMS

decryption_configDecryptionConfiguration, default None

Configuration of the decryption, such as cache timeout. Can be None.

parquet_file_pathstr, pathlib.Path, or None, default None

Path to the parquet file to be decrypted. Only required when the parquet file uses external key material. Used to derive the path to the external key material file.

filesystemFileSystem or None, default None

Used only when the parquet file uses external key material. If None, the file system will be inferred based on parquet_file_path.

Returns:

file_decryption_propertiesFileDecryptionProperties

File decryption properties.

file_encryption_properties(self, KmsConnectionConfig kms_connection_config, EncryptionConfiguration encryption_config, parquet_file_path=None, FileSystem filesystem=None)

Create file encryption properties.

Parameters:

kms_connection_configKmsConnectionConfig

Configuration of connection to KMS

encryption_configEncryptionConfiguration

Configuration of the encryption, such as which columns to encrypt

parquet_file_pathstr, pathlib.Path, or None, default None

Path to the parquet file to be encrypted. Only required when the internal_key_material attribute of EncryptionConfiguration is set to False. Used to derive the path for storing key material specific to this parquet file.

filesystemFileSystem or None, default None

Used only when internal_key_material is set to False on EncryptionConfiguration. If None, the file system will be inferred based on parquet_file_path.

Returns:

file_encryption_propertiesFileEncryptionProperties

File encryption properties.

remove_cache_entries_for_all_tokens(self)

remove_cache_entries_for_token(self, access_token)

rotate_master_keys(self, KmsConnectionConfig kms_connection_config, parquet_file_path, FileSystem filesystem=None, double_wrapping=True, cache_lifetime_seconds=600)

Rotates master encryption keys for a Parquet file that uses external key material.

Parameters:

kms_connection_configKmsConnectionConfig

Configuration of connection to KMS

parquet_file_pathstr or pathlib.Path

Path to a parquet file using external key material.

filesystemFileSystem or None, default None

Used only when the parquet file uses external key material. If None, the file system will be inferred based on parquet_file_path.

double_wrappingbool, default True

In the single wrapping mode, encrypts data encryption keys with new master keys. In the double wrapping mode, generates new KEKs (key encryption keys) and uses these to encrypt the data keys, and encrypts the KEKs with the new master keys.

cache_lifetime_secondsint or float, default 600

During key rotation, KMS Client and Key Encryption Keys will be cached for this duration.