Hadoop Security Guide
Also available as:
loading table of contents...

Configuring and Using HDFS Data at Rest Encryption

After the Ranger KMS has been set up and the NameNode and HDFS clients have been configured, an HDFS administrator can use the hadoop key and hdfs crypto command-line tools to create encryption keys and set up new encryption zones.

The overall workflow is as follows:

  1. Create an HDFS encryption zone key that will be used to encrypt the file-level data encryption key for every file in the encryption zone. This key is stored and managed by Ranger KMS.

  2. Create a new HDFS folder. Specify required permissions, owner, and group for the folder.

  3. Using the new encryption zone key, designate the folder as an encryption zone.

  4. Configure client access. The user associated with the client application needs sufficient permission to access encrypted data. In an encryption zone, the user needs file/directory access (through Posix permissions or Ranger access control), as well as access for certain key operations. To set up ACLs for key-related operations, see the Ranger KMS Administration Guide.

After permissions are set, Java API clients and HDFS applications with sufficient HDFS and Ranger KMS access privileges can write and read to/from files in the encryption zone.