Create an Encryption Zone

How to create an encryption zone when configuring HDFS encryption.

Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.

Recommendation: use one unique key for each encryption zone.

Use the crypto createZone command to create a new encryption zone. The syntax is:

-createZone -keyName <keyName> -path <path>

where:

-keyName: specifies the name of the key to use for the encryption zone.
-path specifies the path of the encryption zone to be created. It must be an empty directory.

As HDFS administrator, create a new empty directory.
# hdfs dfs -mkdir /zone_encr
Using the encryption key, make the directory an encryption zone.
# hdfs crypto -createZone -keyName key1 -path /zone_encr

When finished, the NameNode will recognize the folder as an HDFS encryption zone.

To verify creation of the new encryption zone, run the

crypto
                  -listZones

command as an HDFS administrator: -listZones.

	Note
	The following property (in the `hdfs-default.xml` file) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch. `dfs.namenode.list.encryption.zones.num.responses` The default is 100.

You should see the encryption zone and its key. For example:

$ hdfs crypto -listZones 
/zone-encr  key1

(Optional) To remove an encryption zone, delete the root directory of the zone. For example: hdfs dfs -rm -R /zone_encr.