Transparent Encryption Recommendations for HBase
Make /hbase
an encryption zone. Do not create encryption zones as
subdirectories under /hbase
, because HBase may need to rename files across
those subdirectories. When you create the encryption zone, name the key
hbase-key
to take advantage of auto-generated KMS ACLs.
Steps
On a cluster without HBase currently installed, create the
/hbase
directory and make that an encryption zone.
On a cluster with HBase already installed, perform the following
steps:
- Stop the HBase service.
- Move data from the
/hbase
directory to/hbase-tmp
. - Create an empty
/hbase
directory and make it an encryption zone. - Distcp all data from
/hbase-tmp
to/hbase
, preserving user-group permissions and extended attributes. - Start the HBase service and verify that it is working as expected.
- Remove the
/hbase-tmp
directory.
KMS ACL Configuration for HBase
In the KMS ACL, grant the hbase
user and group
DECRYPT_EEK
permission for the HBase key:
<property>
<name>key.acl.hbase-key.DECRYPT_EEK</name>
<value>hbase hbase</value>
</description>
</property>