Refactor Crypto packages (#1956)

* Move AESCryptoService and NoCryptoService into public spi package
* Move CryptoEnvironmentImpl into core.crypto package with other server crypto stuff
* Make AESCryptoUtils static methods on AESCryptoService
diff --git a/core/src/main/java/org/apache/accumulo/core/conf/Property.java b/core/src/main/java/org/apache/accumulo/core/conf/Property.java
index 04015e3..c757648 100644
--- a/core/src/main/java/org/apache/accumulo/core/conf/Property.java
+++ b/core/src/main/java/org/apache/accumulo/core/conf/Property.java
@@ -176,7 +176,7 @@
       "Sensitive properties related to on-disk file encryption."),
   @Experimental
   INSTANCE_CRYPTO_SERVICE("instance.crypto.service",
-      "org.apache.accumulo.core.cryptoImpl.NoCryptoService", PropertyType.CLASSNAME,
+      "org.apache.accumulo.core.spi.crypto.NoCryptoService", PropertyType.CLASSNAME,
       "The class which executes on-disk file encryption. The default does nothing. To enable "
           + "encryption, replace this classname with an implementation of the"
           + "org.apache.accumulo.core.spi.crypto.CryptoService interface."),
diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/CryptoEnvironmentImpl.java b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoEnvironmentImpl.java
similarity index 96%
rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/CryptoEnvironmentImpl.java
rename to core/src/main/java/org/apache/accumulo/core/crypto/CryptoEnvironmentImpl.java
index 17863be..ba2deae 100644
--- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/CryptoEnvironmentImpl.java
+++ b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoEnvironmentImpl.java
@@ -16,7 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.accumulo.core.cryptoImpl;
+package org.apache.accumulo.core.crypto;
 
 import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
 
diff --git a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java
index f3c8737..1415b0d 100644
--- a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java
+++ b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java
@@ -21,8 +21,8 @@
 import org.apache.accumulo.core.conf.AccumuloConfiguration;
 import org.apache.accumulo.core.conf.DefaultConfiguration;
 import org.apache.accumulo.core.conf.Property;
-import org.apache.accumulo.core.cryptoImpl.NoCryptoService;
 import org.apache.accumulo.core.spi.crypto.CryptoService;
+import org.apache.accumulo.core.spi.crypto.NoCryptoService;
 
 public class CryptoServiceFactory {
 
diff --git a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java
index 703a0eb..53fff25 100644
--- a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java
+++ b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java
@@ -26,7 +26,6 @@
 import java.security.SecureRandom;
 import java.util.Objects;
 
-import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl;
 import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
 import org.apache.accumulo.core.spi.crypto.CryptoService;
 import org.apache.accumulo.core.spi.crypto.CryptoService.CryptoException;
diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESKeyUtils.java b/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESKeyUtils.java
deleted file mode 100644
index 8b0e942..0000000
--- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESKeyUtils.java
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.accumulo.core.cryptoImpl;
-
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.spec.SecretKeySpec;
-
-import org.apache.accumulo.core.spi.crypto.CryptoService.CryptoException;
-
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-
-public class AESKeyUtils {
-
-  public static final String URI = "uri";
-  public static final String KEY_WRAP_TRANSFORM = "AESWrap";
-
-  public static Key generateKey(SecureRandom sr, int size) {
-    byte[] bytes = new byte[size];
-    sr.nextBytes(bytes);
-    return new SecretKeySpec(bytes, "AES");
-  }
-
-  @SuppressFBWarnings(value = "CIPHER_INTEGRITY",
-      justification = "integrity not needed for key wrap")
-  public static Key unwrapKey(byte[] fek, Key kek) {
-    Key result = null;
-    try {
-      Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM);
-      c.init(Cipher.UNWRAP_MODE, kek);
-      result = c.unwrap(fek, "AES", Cipher.SECRET_KEY);
-    } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) {
-      throw new CryptoException("Unable to unwrap file encryption key", e);
-    }
-    return result;
-  }
-
-  @SuppressFBWarnings(value = "CIPHER_INTEGRITY",
-      justification = "integrity not needed for key wrap")
-  public static byte[] wrapKey(Key fek, Key kek) {
-    byte[] result = null;
-    try {
-      Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM);
-      c.init(Cipher.WRAP_MODE, kek);
-      result = c.wrap(fek);
-    } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException
-        | IllegalBlockSizeException e) {
-      throw new CryptoException("Unable to wrap file encryption key", e);
-    }
-
-    return result;
-  }
-
-  @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "keyId specified by admin")
-  public static SecretKeySpec loadKekFromUri(String keyId) {
-    URI uri;
-    SecretKeySpec key = null;
-    try {
-      uri = new URI(keyId);
-      key = new SecretKeySpec(Files.readAllBytes(Paths.get(uri.getPath())), "AES");
-    } catch (URISyntaxException | IOException | IllegalArgumentException e) {
-      throw new CryptoException("Unable to load key encryption key.", e);
-    }
-
-    return key;
-
-  }
-}
diff --git a/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java b/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java
index 96b49d6..4423a0c 100644
--- a/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java
+++ b/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java
@@ -29,7 +29,6 @@
 import org.apache.accumulo.core.crypto.CryptoServiceFactory;
 import org.apache.accumulo.core.crypto.CryptoServiceFactory.ClassloaderType;
 import org.apache.accumulo.core.crypto.CryptoUtils;
-import org.apache.accumulo.core.cryptoImpl.NoFileEncrypter;
 import org.apache.accumulo.core.data.ByteSequence;
 import org.apache.accumulo.core.data.Key;
 import org.apache.accumulo.core.data.Range;
@@ -38,6 +37,7 @@
 import org.apache.accumulo.core.file.blockfile.impl.CachableBlockFile.CachableBuilder;
 import org.apache.accumulo.core.file.rfile.RFile.Reader;
 import org.apache.accumulo.core.file.rfile.bcfile.Utils;
+import org.apache.accumulo.core.spi.crypto.NoFileEncrypter;
 import org.apache.accumulo.core.summary.SummaryReader;
 import org.apache.accumulo.core.util.LocalityGroupUtil;
 import org.apache.accumulo.start.spi.KeywordExecutable;
diff --git a/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java b/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java
index 1d9fff3..eddf315 100644
--- a/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java
+++ b/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java
@@ -34,10 +34,8 @@
 import java.util.Map;
 import java.util.TreeMap;
 
+import org.apache.accumulo.core.crypto.CryptoEnvironmentImpl;
 import org.apache.accumulo.core.crypto.CryptoUtils;
-import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl;
-import org.apache.accumulo.core.cryptoImpl.NoFileDecrypter;
-import org.apache.accumulo.core.cryptoImpl.NoFileEncrypter;
 import org.apache.accumulo.core.file.rfile.bcfile.Compression.Algorithm;
 import org.apache.accumulo.core.file.rfile.bcfile.Utils.Version;
 import org.apache.accumulo.core.file.streams.BoundedRangeFileInputStream;
@@ -48,6 +46,8 @@
 import org.apache.accumulo.core.spi.crypto.CryptoService;
 import org.apache.accumulo.core.spi.crypto.FileDecrypter;
 import org.apache.accumulo.core.spi.crypto.FileEncrypter;
+import org.apache.accumulo.core.spi.crypto.NoFileDecrypter;
+import org.apache.accumulo.core.spi.crypto.NoFileEncrypter;
 import org.apache.accumulo.core.util.ratelimit.RateLimiter;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESCryptoService.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/AESCryptoService.java
similarity index 86%
rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESCryptoService.java
rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/AESCryptoService.java
index 60aee63..95d10a4 100644
--- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESCryptoService.java
+++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/AESCryptoService.java
@@ -16,7 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.accumulo.core.cryptoImpl;
+package org.apache.accumulo.core.spi.crypto;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
@@ -27,6 +27,10 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.Key;
@@ -40,19 +44,17 @@
 import javax.crypto.Cipher;
 import javax.crypto.CipherInputStream;
 import javax.crypto.CipherOutputStream;
+import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.accumulo.core.crypto.CryptoUtils;
 import org.apache.accumulo.core.crypto.streams.BlockedInputStream;
 import org.apache.accumulo.core.crypto.streams.BlockedOutputStream;
 import org.apache.accumulo.core.crypto.streams.DiscardCloseOutputStream;
 import org.apache.accumulo.core.crypto.streams.RFileCipherOutputStream;
-import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
-import org.apache.accumulo.core.spi.crypto.CryptoService;
-import org.apache.accumulo.core.spi.crypto.FileDecrypter;
-import org.apache.accumulo.core.spi.crypto.FileEncrypter;
 import org.apache.commons.io.IOUtils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
@@ -65,6 +67,8 @@
   // Hard coded NoCryptoService.VERSION - this permits the removal of NoCryptoService from the
   // core jar, allowing use of only one crypto service
   private static final String NO_CRYPTO_VERSION = "U+1F47B";
+  public static final String URI = "uri";
+  public static final String KEY_WRAP_TRANSFORM = "AESWrap";
 
   private Key encryptingKek = null;
   private String keyLocation = null;
@@ -83,10 +87,10 @@
     this.sr = CryptoUtils.newSha1SecureRandom();
     this.decryptingKeys = new HashMap<>();
     switch (keyMgr) {
-      case AESKeyUtils.URI:
+      case URI:
         this.keyManager = keyMgr;
         this.keyLocation = keyLocation;
-        this.encryptingKek = AESKeyUtils.loadKekFromUri(keyLocation);
+        this.encryptingKek = loadKekFromUri(keyLocation);
         break;
       default:
         throw new CryptoException("Unrecognized key manager");
@@ -121,7 +125,7 @@
 
     ParsedCryptoParameters parsed = parseCryptoParameters(decryptionParams);
     Key kek = loadDecryptionKek(parsed);
-    Key fek = AESKeyUtils.unwrapKey(parsed.getEncFek(), kek);
+    Key fek = unwrapKey(parsed.getEncFek(), kek);
     switch (parsed.getCryptoServiceVersion()) {
       case AESCBCCryptoModule.VERSION:
         cm = new AESCBCCryptoModule(this.encryptingKek, this.keyLocation, this.keyManager);
@@ -195,7 +199,7 @@
       params.writeUTF(version);
       params.writeUTF(encryptingKeyManager);
       params.writeUTF(encryptingKekId);
-      byte[] wrappedFek = AESKeyUtils.wrapKey(fek, encryptingKek);
+      byte[] wrappedFek = wrapKey(fek, encryptingKek);
       params.writeInt(wrappedFek.length);
       params.write(wrappedFek);
 
@@ -234,8 +238,8 @@
     }
 
     switch (params.keyManagerVersion) {
-      case AESKeyUtils.URI:
-        ret = AESKeyUtils.loadKekFromUri(params.kekId);
+      case URI:
+        ret = loadKekFromUri(params.kekId);
         break;
       default:
         throw new CryptoException("Unable to load kek: " + params.kekId);
@@ -296,7 +300,7 @@
       private final byte[] initVector = new byte[GCM_IV_LENGTH_IN_BYTES];
 
       AESGCMFileEncrypter() {
-        this.fek = AESKeyUtils.generateKey(sr, KEY_LENGTH_IN_BYTES);
+        this.fek = generateKey(sr, KEY_LENGTH_IN_BYTES);
         sr.nextBytes(this.initVector);
         this.firstInitVector = Arrays.copyOf(this.initVector, this.initVector.length);
       }
@@ -429,7 +433,7 @@
     @SuppressFBWarnings(value = "CIPHER_INTEGRITY", justification = "CBC is provided for WALs")
     public class AESCBCFileEncrypter implements FileEncrypter {
 
-      private Key fek = AESKeyUtils.generateKey(sr, KEY_LENGTH_IN_BYTES);
+      private Key fek = generateKey(sr, KEY_LENGTH_IN_BYTES);
       private byte[] initVector = new byte[IV_LENGTH_IN_BYTES];
 
       @Override
@@ -492,4 +496,55 @@
       }
     }
   }
+
+  public static Key generateKey(SecureRandom sr, int size) {
+    byte[] bytes = new byte[size];
+    sr.nextBytes(bytes);
+    return new SecretKeySpec(bytes, "AES");
+  }
+
+  @SuppressFBWarnings(value = "CIPHER_INTEGRITY",
+      justification = "integrity not needed for key wrap")
+  public static Key unwrapKey(byte[] fek, Key kek) {
+    Key result = null;
+    try {
+      Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM);
+      c.init(Cipher.UNWRAP_MODE, kek);
+      result = c.unwrap(fek, "AES", Cipher.SECRET_KEY);
+    } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) {
+      throw new CryptoException("Unable to unwrap file encryption key", e);
+    }
+    return result;
+  }
+
+  @SuppressFBWarnings(value = "CIPHER_INTEGRITY",
+      justification = "integrity not needed for key wrap")
+  public static byte[] wrapKey(Key fek, Key kek) {
+    byte[] result = null;
+    try {
+      Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM);
+      c.init(Cipher.WRAP_MODE, kek);
+      result = c.wrap(fek);
+    } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException
+        | IllegalBlockSizeException e) {
+      throw new CryptoException("Unable to wrap file encryption key", e);
+    }
+
+    return result;
+  }
+
+  @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "keyId specified by admin")
+  public static Key loadKekFromUri(String keyId) {
+    java.net.URI uri;
+    SecretKeySpec key = null;
+    try {
+      uri = new URI(keyId);
+      key = new SecretKeySpec(Files.readAllBytes(Paths.get(uri.getPath())), "AES");
+    } catch (URISyntaxException | IOException | IllegalArgumentException e) {
+      throw new CryptoException("Unable to load key encryption key.", e);
+    }
+
+    return key;
+
+  }
 }
diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoCryptoService.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoCryptoService.java
similarity index 82%
rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoCryptoService.java
rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/NoCryptoService.java
index 21e61f5..669af43 100644
--- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoCryptoService.java
+++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoCryptoService.java
@@ -16,15 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.accumulo.core.cryptoImpl;
+package org.apache.accumulo.core.spi.crypto;
 
 import java.util.Map;
 
-import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
-import org.apache.accumulo.core.spi.crypto.CryptoService;
-import org.apache.accumulo.core.spi.crypto.FileDecrypter;
-import org.apache.accumulo.core.spi.crypto.FileEncrypter;
-
 /**
  * The default encryption strategy which does nothing.
  */
diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileDecrypter.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileDecrypter.java
similarity index 86%
rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileDecrypter.java
rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileDecrypter.java
index f48bf92..e9860b7 100644
--- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileDecrypter.java
+++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileDecrypter.java
@@ -16,13 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.accumulo.core.cryptoImpl;
+package org.apache.accumulo.core.spi.crypto;
 
 import java.io.InputStream;
 
-import org.apache.accumulo.core.spi.crypto.CryptoService;
-import org.apache.accumulo.core.spi.crypto.FileDecrypter;
-
 public class NoFileDecrypter implements FileDecrypter {
   @Override
   public InputStream decryptStream(InputStream inputStream) throws CryptoService.CryptoException {
diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileEncrypter.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileEncrypter.java
similarity index 88%
rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileEncrypter.java
rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileEncrypter.java
index ed36937..a980c73 100644
--- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileEncrypter.java
+++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileEncrypter.java
@@ -16,15 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.accumulo.core.cryptoImpl;
+package org.apache.accumulo.core.spi.crypto;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import java.io.OutputStream;
 
-import org.apache.accumulo.core.spi.crypto.CryptoService;
-import org.apache.accumulo.core.spi.crypto.FileEncrypter;
-
 public class NoFileEncrypter implements FileEncrypter {
 
   @Override
diff --git a/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java b/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java
index f7dc1aa..cc0b00e 100644
--- a/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java
+++ b/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java
@@ -62,7 +62,7 @@
     assertEquals("", conf.get(Property.INSTANCE_VOLUMES));
     assertEquals("120s", conf.get(Property.GENERAL_RPC_TIMEOUT));
     assertEquals("1G", conf.get(Property.TSERV_WALOG_MAX_SIZE));
-    assertEquals("org.apache.accumulo.core.cryptoImpl.NoCryptoService",
+    assertEquals("org.apache.accumulo.core.spi.crypto.NoCryptoService",
         conf.get(Property.INSTANCE_CRYPTO_SERVICE));
   }
 
@@ -76,7 +76,7 @@
     assertEquals("hdfs://localhost:8020/accumulo123", conf.get(Property.INSTANCE_VOLUMES));
     assertEquals("123s", conf.get(Property.GENERAL_RPC_TIMEOUT));
     assertEquals("256M", conf.get(Property.TSERV_WALOG_MAX_SIZE));
-    assertEquals("org.apache.accumulo.core.cryptoImpl.AESCryptoService",
+    assertEquals("org.apache.accumulo.core.spi.crypto.AESCryptoService",
         conf.get(Property.INSTANCE_CRYPTO_SERVICE));
     assertEquals(System.getenv("USER"), conf.get("general.test.user.name"));
     assertEquals("/tmp/test/dir", conf.get("general.test.user.dir"));
diff --git a/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java b/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java
index 94336db..5568a8d 100644
--- a/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java
+++ b/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java
@@ -58,11 +58,9 @@
 import org.apache.accumulo.core.conf.Property;
 import org.apache.accumulo.core.crypto.CryptoServiceFactory.ClassloaderType;
 import org.apache.accumulo.core.crypto.streams.NoFlushOutputStream;
-import org.apache.accumulo.core.cryptoImpl.AESCryptoService;
-import org.apache.accumulo.core.cryptoImpl.AESKeyUtils;
-import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl;
 import org.apache.accumulo.core.data.Key;
 import org.apache.accumulo.core.data.Value;
+import org.apache.accumulo.core.spi.crypto.AESCryptoService;
 import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
 import org.apache.accumulo.core.spi.crypto.CryptoEnvironment.Scope;
 import org.apache.accumulo.core.spi.crypto.CryptoService;
@@ -267,7 +265,7 @@
       aconf.set(e.getKey(), e.getValue());
     }
     aconf.set(Property.INSTANCE_CRYPTO_SERVICE,
-        "org.apache.accumulo.core.cryptoImpl.AESCryptoService");
+        "org.apache.accumulo.core.spi.crypto.AESCryptoService");
     String configuredClass = aconf.get(Property.INSTANCE_CRYPTO_SERVICE.getKey());
     Class<? extends CryptoService> clazz =
         ClassLoaderUtil.loadClass(configuredClass, CryptoService.class);
@@ -297,7 +295,7 @@
   @SuppressFBWarnings(value = "CIPHER_INTEGRITY", justification = "CBC is being tested")
   private void verifyKeySizeForCBC(SecureRandom sr, int sizeInBytes)
       throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException {
-    java.security.Key key = AESKeyUtils.generateKey(sr, sizeInBytes);
+    java.security.Key key = AESCryptoService.generateKey(sr, sizeInBytes);
     Cipher.getInstance("AES/CBC/NoPadding").init(Cipher.ENCRYPT_MODE, key);
   }
 
@@ -305,11 +303,11 @@
   public void testAESKeyUtilsWrapAndUnwrap()
       throws NoSuchAlgorithmException, NoSuchProviderException {
     SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
-    java.security.Key kek = AESKeyUtils.generateKey(sr, 16);
-    java.security.Key fek = AESKeyUtils.generateKey(sr, 16);
-    byte[] wrapped = AESKeyUtils.wrapKey(fek, kek);
+    java.security.Key kek = AESCryptoService.generateKey(sr, 16);
+    java.security.Key fek = AESCryptoService.generateKey(sr, 16);
+    byte[] wrapped = AESCryptoService.wrapKey(fek, kek);
     assertFalse(Arrays.equals(fek.getEncoded(), wrapped));
-    java.security.Key unwrapped = AESKeyUtils.unwrapKey(wrapped, kek);
+    java.security.Key unwrapped = AESCryptoService.unwrapKey(wrapped, kek);
     assertEquals(unwrapped, fek);
   }
 
@@ -317,19 +315,19 @@
   public void testAESKeyUtilsFailUnwrapWithWrongKEK()
       throws NoSuchAlgorithmException, NoSuchProviderException {
     SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
-    java.security.Key kek = AESKeyUtils.generateKey(sr, 16);
-    java.security.Key fek = AESKeyUtils.generateKey(sr, 16);
+    java.security.Key kek = AESCryptoService.generateKey(sr, 16);
+    java.security.Key fek = AESCryptoService.generateKey(sr, 16);
     byte[] wrongBytes = kek.getEncoded();
     wrongBytes[0]++;
     java.security.Key wrongKek = new SecretKeySpec(wrongBytes, "AES");
 
-    byte[] wrapped = AESKeyUtils.wrapKey(fek, kek);
-    assertThrows(CryptoException.class, () -> AESKeyUtils.unwrapKey(wrapped, wrongKek));
+    byte[] wrapped = AESCryptoService.wrapKey(fek, kek);
+    assertThrows(CryptoException.class, () -> AESCryptoService.unwrapKey(wrapped, wrongKek));
   }
 
   @Test
   public void testAESKeyUtilsLoadKekFromUri() throws IOException {
-    SecretKeySpec fileKey = AESKeyUtils.loadKekFromUri(keyPath);
+    java.security.Key fileKey = AESCryptoService.loadKekFromUri(keyPath);
     ByteArrayOutputStream baos = new ByteArrayOutputStream();
     DataOutputStream dos = new DataOutputStream(baos);
     dos.writeUTF("sixteenbytekey");
@@ -339,13 +337,13 @@
 
   @Test
   public void testAESKeyUtilsLoadKekFromUriInvalidUri() {
-    assertThrows(CryptoException.class, () -> AESKeyUtils.loadKekFromUri(
+    assertThrows(CryptoException.class, () -> AESCryptoService.loadKekFromUri(
         System.getProperty("user.dir") + "/target/CryptoTest-testkeyfile-doesnt-exist"));
   }
 
   @Test
   public void testAESKeyUtilsLoadKekFromEmptyFile() {
-    assertThrows(CryptoException.class, () -> AESKeyUtils.loadKekFromUri(emptyKeyPath));
+    assertThrows(CryptoException.class, () -> AESCryptoService.loadKekFromUri(emptyKeyPath));
   }
 
   private ArrayList<Key> testData() {
diff --git a/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java b/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java
index 617ca93..f0cee84 100644
--- a/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java
+++ b/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java
@@ -1801,7 +1801,7 @@
     switch (cryptoOn) {
       case CryptoTest.CRYPTO_ON_CONF:
         cfg.set(Property.INSTANCE_CRYPTO_SERVICE,
-            "org.apache.accumulo.core.cryptoImpl.AESCryptoService");
+            "org.apache.accumulo.core.spi.crypto.AESCryptoService");
         cfg.set(INSTANCE_CRYPTO_PREFIX.getKey() + "key.uri", CryptoTest.keyPath);
     }
     return cfg;
diff --git a/core/src/test/resources/accumulo2.properties b/core/src/test/resources/accumulo2.properties
index adfbe13..a6328d9 100644
--- a/core/src/test/resources/accumulo2.properties
+++ b/core/src/test/resources/accumulo2.properties
@@ -18,7 +18,7 @@
 #
 
 general.rpc.timeout=123s
-instance.crypto.service=org.apache.accumulo.core.cryptoImpl.AESCryptoService
+instance.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService
 instance.secret=mysecret
 instance.volumes=hdfs://localhost:8020/accumulo123
 instance.zookeeper.host=myhost123:2181
diff --git a/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java b/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java
index 7e2b410..e9b5d4e 100644
--- a/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java
+++ b/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java
@@ -46,18 +46,18 @@
 import org.apache.accumulo.core.client.Durability;
 import org.apache.accumulo.core.conf.AccumuloConfiguration;
 import org.apache.accumulo.core.conf.Property;
+import org.apache.accumulo.core.crypto.CryptoEnvironmentImpl;
 import org.apache.accumulo.core.crypto.CryptoServiceFactory;
 import org.apache.accumulo.core.crypto.CryptoServiceFactory.ClassloaderType;
 import org.apache.accumulo.core.crypto.CryptoUtils;
 import org.apache.accumulo.core.crypto.streams.NoFlushOutputStream;
-import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl;
-import org.apache.accumulo.core.cryptoImpl.NoCryptoService;
 import org.apache.accumulo.core.data.Mutation;
 import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
 import org.apache.accumulo.core.spi.crypto.CryptoEnvironment.Scope;
 import org.apache.accumulo.core.spi.crypto.CryptoService;
 import org.apache.accumulo.core.spi.crypto.FileDecrypter;
 import org.apache.accumulo.core.spi.crypto.FileEncrypter;
+import org.apache.accumulo.core.spi.crypto.NoCryptoService;
 import org.apache.accumulo.core.util.Pair;
 import org.apache.accumulo.core.util.threads.Threads;
 import org.apache.accumulo.server.ServerConstants;
diff --git a/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java b/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
index d7d54c6..d17f521 100644
--- a/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
+++ b/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
@@ -43,7 +43,7 @@
     String keyPath =
         System.getProperty("user.dir") + "/target/mini-tests/WriteAheadLogEncryptedIT-testkeyfile";
     cfg.setProperty(Property.INSTANCE_CRYPTO_SERVICE,
-        "org.apache.accumulo.core.cryptoImpl.AESCryptoService");
+        "org.apache.accumulo.core.spi.crypto.AESCryptoService");
     cfg.setProperty(INSTANCE_CRYPTO_PREFIX.getKey() + "key.uri", keyPath);
 
     WriteAheadLogIT.setupConfig(cfg, hadoopCoreSite);