Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Create an Encryption Zone

Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.

Recommendation: use one unique key for each encryption zone.

Use the crypto createZone command to create a new encryption zone. The syntax is:

-createZone -keyName <keyName> -path <path>

where:

  • -keyName: specifies the name of the key to use for the encryption zone.

  • -path specifies the path of the encryption zone to be created. It must be an empty directory.

[Note]Note

The hdfs service account can create zones, but cannot write data unless the account has sufficient permission.

Recommendation: Define a separate user account for the HDFS administrator, and do not provide access to keys for this user in Ranger KMS.

Steps:

  1. As HDFS administrator, create a new empty directory. For example:

    # hdfs dfs -mkdir /zone_encr

  2. Using the encryption key, make the directory an encryption zone. For example:

    # hdfs crypto -createZone -keyName key1 -path /zone_encr

    When finished, the NameNode will recognize the folder as an HDFS encryption zone.

  3. To verify creation of the new encryption zone, run the crypto -listZones command as an HDFS administrator:

    -listZones

    You should see the encryption zone and its key. For example:

    $ hdfs crypto -listZones 
    /zone-encr  key1
    [Note]Note

    The following property (in the hdfs-default.xml file) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch.

    dfs.namenode.list.encryption.zones.num.responses

    The default is 100.

To remove an encryption zone, delete the root directory of the zone. For example:

hdfs dfs -rm -R /zone_encr