Security
Also available as:
PDF

Create an Encryption Zone

Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.

Recommendation: use one unique key for each encryption zone.

Use the crypto createZone command to create a new encryption zone. The syntax is:

-createZone -keyName <keyName> -path <path>

where:

  • -keyName: specifies the name of the key to use for the encryption zone.

  • -path specifies the path of the encryption zone to be created. It must be an empty directory.

[Note]Note

The hdfs service account can create zones, but cannot write data unless the account has sufficient permission.

Recommendation: Define a separate user account for the HDFS administrator, and do not provide access to keys for this user in Ranger KMS.

Steps:

  1. As HDFS administrator, create a new empty directory. For example:

    # hdfs dfs -mkdir /zone_encr

  2. Using the encryption key, make the directory an encryption zone. For example:

    # hdfs crypto -createZone -keyName key1 -path /zone_encr

    When finished, the NameNode will recognize the folder as an HDFS encryption zone.

  3. To verify creation of the new encryption zone, run the crypto -listZones command as an HDFS administrator:

    -listZones

    You should see the encryption zone and its key. For example:

    $ hdfs crypto -listZones 
    /zone-encr  key1
    [Note]Note

    The following property (in the hdfs-default.xml file) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch.

    dfs.namenode.list.encryption.zones.num.responses

    The default is 100.

To remove an encryption zone, delete the root directory of the zone. For example:

hdfs dfs -rm -R /zone_encr