Transparent Encryption Recommendations for HBase

Make /hbase an encryption zone. Do not create encryption zones as subdirectories under /hbase, because HBase may need to rename files across those subdirectories. When you create the encryption zone, name the key hbase-key to take advantage of auto-generated KMS ACLs.

Steps

On a cluster without HBase currently installed, create the /hbase directory and make that an encryption zone.

On a cluster with HBase already installed, perform the following steps:
  1. Stop the HBase service.
  2. Move data from the /hbase directory to /hbase-tmp.
  3. Create an empty /hbase directory and make it an encryption zone.
  4. Distcp all data from /hbase-tmp to /hbase, preserving user-group permissions and extended attributes.
  5. Start the HBase service and verify that it is working as expected.
  6. Remove the /hbase-tmp directory.

KMS ACL Configuration for HBase

In the KMS ACL, grant the hbase user and group DECRYPT_EEK permission for the HBase key:

<property>
  <name>key.acl.hbase-key.DECRYPT_EEK</name>
  <value>hbase hbase</value>
  </description>
</property>