Encrypting data in transit between clusters
A source directory and destination directory may or may not be in an encryption zone. If the destination directory is in an encryption zone, the data on the destination directory is encrypted. If the destination directory is not in an encryption zone, the data on that directory is not encrypted, even if the source directory is in an encryption zone. Encryption zones are not supported in CDH versions 5.1 or lower.
When you configure encryption zones, you also configure Ranger Key Management Server (KMS) to manage encryption keys. To access encrypted data, the user must be authorized on the KMS for the encryption zones they need to interact with. The user you specify in thefield during the HDFS replication policy creation process must have this authorization. The key administrator must add ACLs to the KMS for that user to prevent authorization failure. During replication, data travels from the source cluster to the destination cluster using DistCp. For clusters that use encryption zones, configure encryption of KMS key transfers between the source and destination using TLS/SSL protocol.
You might come across the following three scenarios when using encryption zones:
|Scenario||Steps taken by Replication Manager to replicate data|
|Replicating data from an encrypted zone on the source cluster to an encrypted zone on a destination cluster.||
The data transmission is encrypted only if you have configured encryption for HDFS data transfer.
|Replicating from an encryption zone on the source cluster to an unencrypted zone on the destination cluster.||
|Replicating from an unencrypted zone on the source cluster to an encrypted zone on the destination cluster.||The data is available as is after replication.|
- Enable TLS/SSL for HDFS clients on both the source and the destination clusters. You may also need to configure trust between the SSL certificates on the source and destination.
- Enable TLS/SSL for the two peer Cloudera Manager Servers.
- Encrypt data transfer using HDFS data transfer encryption.
The following blog post provides additional information about encryption with HDFS: https://blog.cloudera.com/blog/2013/03/how-to-set-up-a-hadoop-cluster-with-network-encryption/.