Create an Encryption Key

Create a "master" encryption key for the new encryption zone. Each key will be specific to an encryption zone. You can create a new encryption key via Ranger KMS (recommended) or the CLI.

Ranger supports AES/CTR/NoPadding as the cipher suite. (The associated property is listed under HDFS -> Configs in the Advanced hdfs-site list.)

Key size can be 128 or 256 bits.

Recommendation: create a new superuser for key management. In the following examples, superuser encr creates the key. This separates the data access role from the encryption role, strengthening security.

To create an Encryption Key using Ranger KMS (Recommended):
1. Log in to Ranger as user keyadmin, password $keyadmin.
2. In the Ranger Web UI screen, choose the Encryption tab at the top of the screen.
3. Select the KMS service from the drop-down list.
4. Click on "Add New Key":
5. Add a valid key name.
6. Select the cipher name. Ranger supports AES/CTR/NoPadding as the cipher suite.
7. Specify the key length, 128 or 256 bits.
8. Add other attributes as needed, and then save the key.
To create an Encryption Key using the CLI:
1. The full syntax of the hadoop key create command is as follows:
```
[create <keyname> [-cipher <cipher>] 
[-size <size>] 
[-description <description>] 
[-attr <attribute=value>] 
[-provider <provider>] 
[-help]]
```
```
 # su - encr 
 # hadoop key create <key_name> [-size <number-of-bits>] 
```
  The default key size is 128 bits. The optional -size parameter supports 256-bit keys, and requires the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all hosts in the cluster. For installation information, see “Installing the JCE”.
```
 # su - encr 
 # hadoop key create key1 
```
  To verify creation of the key, list the metadata associated with the current user: # hadoop key list -metadata