Configure encryption in HBase

You must encrypt the HBase root directory to ensure that you have an additional layer of protection in case the HDFS filesystem is compromised. You can encrypt the HBase root directory within HDFS, using HDFS Transparent Encryption.

HBase stores all of its data under its root directory in HDFS configured in the hbase.rootdir. If you use this feature in combination with bulk-loading of HFiles, you must configure hbase.bulkload.staging.dir to point to a location within the same encryption zone as the HBase root directory. Otherwise, you may encounter errors such as:
org.apache.hadoop.ipc.RemoteException( /tmp/output/f/5 can't be moved into an encryption zone.
  • Enable HDFS encryption using the HDFS encryption wizard.
  • Follow the instructions for setting up HDFS Transparent Encryption.
  • Validate and verify that HDFS encryption is enabled and working.
    For more information see, HDFS Transparent Encryption.