Create an Encryption Zone
Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.
Recommendation: use one unique key for each encryption zone.
Use the crypto
createZone command to create a new encryption zone. The syntax
is:
-createZone -keyName <keyName> -path <path>
where:
-keyName: specifies the name of the key to use for the encryption zone.-pathspecifies the path of the encryption zone to be created. It must be an empty directory.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
The Recommendation: Define a separate user account for the HDFS administrator, and do not provide access to keys for this user in Ranger KMS. |
Steps:
As HDFS administrator, create a new empty directory. For example:
# hdfs dfs -mkdir /zone_encrUsing the encryption key, make the directory an encryption zone. For example:
# hdfs crypto -createZone -keyName key1 -path /zone_encrWhen finished, the NameNode will recognize the folder as an HDFS encryption zone.
To verify creation of the new encryption zone, run the
crypto -listZonescommand as an HDFS administrator:-listZonesYou should see the encryption zone and its key. For example:
$ hdfs crypto -listZones /zone-encr key1
Note The following property (in the
hdfs-default.xmlfile) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch.dfs.namenode.list.encryption.zones.num.responsesThe default is 100.
To remove an encryption zone, delete the root directory of the zone. For example:
hdfs dfs -rm -R /zone_encr