Transparent Data Encryption (TDE) allows data on the disks to be encrypted-at-rest
and automatically decrypted during access. For Ozone, you can enable TDE at the key-level or
the bucket-level. TDE is enabled at the bucket-level when a bucket is created.
The Key Management Server must be installed and running.
Ozone uses the same Key Management Server as HDFS.
-
Create a bucket encryption key.
This command creates an encryption key for the bucket you want to protect.
After the key is created, Ozone can use that key when you are reading and
writing data into a bucket.
-
Assign the encryption key to a bucket.
The following example shows how you can assign the key
enck1
to the bucket
encbucket1
:
ozone sh bucket create -k enck1 /vol/encbucket1
After you run this command, all data written to
encbucket1
will be encrypted using
encKey
. During the read process, the
client applications interact with the Key Management Server to read the key and
decrypt it.
The encryption of data is completely transparent to users and
client applications.