Using TDE with DLM
Encryption with Transparent Data Encryption (TDE) is supported in DLM for protecting data at rest. You can use TDE to prevent people from inappropriately gaining access to your data. All of the source data being replicated must be encrypted or unencrypted. DLM does not support replication in which some data is encrypted and some is not.
Replication scenarios for TDE-enabled data
DLM supports replication of HDFS and Hive data when:
- Both source and destination are encrypted with the same key (on-premise to on-premise replication only)
- Both source and destination are encrypted with different keys
- Source is unencrypted, but destination is encrypted
Note that DLM does not allow replication when the source is encrypted, but the destination is unencrypted.
TDE in HDFS
HDFS implements transparent, end-to-end encryption of data read from and written to HDFS.
- TDE should be configured in the HDFS service, and the directories have to be marked as
encryption zones using the encryption keys.
Refer to the Data Protection: HDFS Encryption in the HDP Security guide for more information.
- You can set TDE per directory or per cluster on HDFS.
TDE with Hive
- For Hive replication in DLM, any cluster that is using TDE and acts as a source for replication must have the entire data warehouse in a single encryption zone.
- You can set TDE only at cluster level for Hive replication.