Configuring Apache HDFS Encryption
Also available as:
PDF
loading table of contents...

Create an Encryption Key

Create a "master" encryption key for the new encryption zone. Each key will be specific to an encryption zone. You can create a new encryption key via Ranger KMS (recommended) or the CLI.

Ranger supports AES/CTR/NoPadding as the cipher suite. (The associated property is listed under HDFS -> Configs in the Advanced hdfs-site list.)

Key size can be 128 or 256 bits.

Recommendation: create a new superuser for key management. In the following examples, superuser encr creates the key. This separates the data access role from the encryption role, strengthening security.

  • To create an Encryption Key using Ranger KMS (Recommended):
    1. Log in to Ranger as user keyadmin, password $keyadmin.
    2. In the Ranger Web UI screen, choose the Encryption tab at the top of the screen.
    3. Select the KMS service from the drop-down list.
    4. Click on "Add New Key":
    5. Add a valid key name.
    6. Select the cipher name. Ranger supports AES/CTR/NoPadding as the cipher suite.
    7. Specify the key length, 128 or 256 bits.
    8. Add other attributes as needed, and then save the key.
  • To create an Encryption Key using the CLI:
    1. The full syntax of the hadoop key create command is as follows:
      [create <keyname> [-cipher <cipher>] 
      [-size <size>] 
      [-description <description>] 
      [-attr <attribute=value>] 
      [-provider <provider>] 
      [-help]]
       # su - encr 
       # hadoop key create <key_name> [-size <number-of-bits>] 

      The default key size is 128 bits. The optional -size parameter supports 256-bit keys, and requires the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all hosts in the cluster. For installation information, see “Installing the JCE”.

       # su - encr 
       # hadoop key create key1 
      To verify creation of the key, list the metadata associated with the current user: # hadoop key list -metadata