Configuring Apache HDFS Encryption
Also available as:
PDF
loading table of contents...

Create an Encryption Zone

How to create an encryption zone when configuring HDFS encryption.

Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.

Recommendation: use one unique key for each encryption zone.

Use the crypto createZone command to create a new encryption zone. The syntax is:

-createZone -keyName <keyName> -path <path>

where:

  • -keyName: specifies the name of the key to use for the encryption zone.
  • -path specifies the path of the encryption zone to be created. It must be an empty directory.
  1. As HDFS administrator, create a new empty directory.
    # hdfs dfs -mkdir /zone_encr
  2. Using the encryption key, make the directory an encryption zone.
    # hdfs crypto -createZone -keyName key1 -path /zone_encr
    When finished, the NameNode will recognize the folder as an HDFS encryption zone.
  3. To verify creation of the new encryption zone, run the crypto -listZones command as an HDFS administrator: -listZones.
    Note
    Note

    The following property (in the hdfs-default.xml file) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch.

    dfs.namenode.list.encryption.zones.num.responses

    The default is 100.

    You should see the encryption zone and its key. For example:
    $ hdfs crypto -listZones 
    /zone-encr  key1

(Optional) To remove an encryption zone, delete the root directory of the zone. For example: hdfs dfs -rm -R /zone_encr.