Replication of encrypted data
HDFS supports encryption of data at rest (including data accessed through Hive). This
topic describes how replication works within and between encryption zones and how to configure
replication to avoid failures due to encryption.
Encrypting data in transit between clusters A source directory and destination directory may or may not be in an encryption zone. If the destination directory is in an encryption zone, the data on the destination directory is encrypted. If the destination directory is not in an encryption zone, the data on that directory is not encrypted, even if the source directory is in an encryption zone. Encryption zones are not supported in CDH versions 5.1 or lower. Security considerations for encrypted data during replication The user you specify in the Run As Username field during replication policy creation requires full access to both the key and the data directories being replicated. This is not a recommended best practice for KMS management. If you change permissions in the KMS to enable this requirement, you could accidentally provide access for this user to data in other encryption zones using the same key. If a user is not specified in the Run As Username field, the replication runs as the default user, hdfs.