Configuring Cloudera Services for HDFS Encryption

There are recommendations that you must consider for setting up HDFS Transparent Encryption with various Cloudera services.

note

Ranger audit directories in HDFS are owned by specific service users. In the case of HDFS, it will be the HDFS service user. Typically, HDFS service user is blacklisted for the DECRYPT_EEK operation. Hence, enabling encryption of Ranger audit directories in HDFS is not recommended.

Responsible for HDFS administration, HDFS Superusers are not granted rights to decrypt data within encryption zones. Rather, they are authorized to create zones and attach keys to those zones for the data sets that they manage.