Creating Encryption Zones

Once a KMS has been set up and the NameNode and HDFS clients have been correctly configured, use the hadoop key and hdfs crypto command-line tools to create encryption keys and set up new encryption zones.

  • Create an encryption key for your zone as keyadmin for the user/group (regardless of the application that will be using the encryption zone):
    hadoop key create <key_name>
  • Create a new empty directory and make it an encryption zone using the key created above.
    hadoop fs -mkdir /encryption_zone
    hdfs crypto -createZone -keyName <key_name> -path /encryption_zone
    You can verify creation of the new encryption zone by running the -listZones command. You should see the encryption zone along with its key listed as follows:
    $ hdfs crypto -listZones
    /encryption_zone    <key_name>