Setting Up Data at Rest Encryption for HDFS

This section describes how to enable end-to-end data encryption to-and-from HDFS. For optimal performance, High Availability (HA) is also provided.

Depending on your encryption key root trustee requirements, you can enable HDFS encryption with one of the following options:

Ranger Key Management Service backed by Key Trustee Server, which sources the encryption zone keys from a backing Ranger Key Trustee Server and includes HA.
Ranger Key Management Service backed by Database, which sources the encryption zone keys from a backing Database and includes HA.
A file-based password protected Java Keystore, which adds the Java KeyStore KMS service to the cluster. The Java KeyStore KMS service uses a password-protected Java KeyStore for cryptographic key management. This option does not include HA.
warning
Cloudera strongly recommends NOT using this option for production environments. The file-based Java KeyStore root of trust is insufficient to provide the security, scalability, and manageability required by most production systems. More specifically, the Java KeyStore KMS does not provide:
- Scalability. You are limited to having only one Key Management System (KMS), which can result in bottlenecks.
- High Availability (HA).
- Recoverability. If you lose the node where the Java KeyStore is stored, you can lose access to all the encrypted data