Creating Encryption Zones
Once a KMS has been set up and the NameNode and HDFS clients have been correctly
configured, use the hadoop key
and hdfs crypto
command-line
tools to create encryption keys and set up new encryption zones.
- Create an encryption key for your zone as
keyadmin
for the user/group (regardless of the application that will be using the encryption zone):hadoop key create <key_name>
- Create a new empty directory and make it an encryption zone using the key created
above.
You can verify creation of the new encryption zone by running thehadoop fs -mkdir /encryption_zone hdfs crypto -createZone -keyName <key_name> -path /encryption_zone
-listZones
command. You should see the encryption zone along with its key listed as follows:$ hdfs crypto -listZones /encryption_zone <key_name>