Create an Encryption Zone
Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.
Recommendation: use one unique key for each encryption zone.
Use the crypto
createZone
command to create a new encryption zone. The syntax
is:
-createZone -keyName <keyName> -path <path>
where:
-keyName
: specifies the name of the key to use for the encryption zone.-path
specifies the path of the encryption zone to be created. It must be an empty directory.
Note | |
---|---|
The Recommendation: Define a separate user account for the HDFS administrator, and do not provide access to keys for this user in Ranger KMS. |
Steps:
As HDFS administrator, create a new empty directory. For example:
# hdfs dfs -mkdir /zone_encr
Using the encryption key, make the directory an encryption zone. For example:
# hdfs crypto -createZone -keyName key1 -path /zone_encr
When finished, the NameNode will recognize the folder as an HDFS encryption zone.
To verify creation of the new encryption zone, run the
crypto -listZones
command as an HDFS administrator:-listZones
You should see the encryption zone and its key. For example:
$ hdfs crypto -listZones /zone-encr key1
Note The following property (in the
hdfs-default.xml
file) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch.dfs.namenode.list.encryption.zones.num.responses
The default is 100.
To remove an encryption zone, delete the root directory of the zone. For example:
hdfs dfs -rm -R /zone_encr