Encryption at rest

The company has a policy of having all Commercially Sensitive data, encrypted at rest, and therefore according to the data classification, the Climate Accounting data will be stored in the Finance encryption zone on the cluster. For the purposes of regulatory reporting the provenance of the data must be assured to the highest corporate standards. Therefore, encryption at rest is mandatory due to regulatory requirements.

Key security documentation

  • How-to: Security
  • Encryption Zones and Keys


In our example we use finance as the <keyname> and create a specific encryption zone for the needs of the finance department on our shared corporate clusters on hdfs at /warehouse/finance/:
  1. Create zone /warehouse/finance/

    1. Create an encryption key for your zone as keyadmin for the user/group (regardless of the application that will be using the encryption zone):
      sudo -u hbase hadoop key create <key_name>
  2. Create a new empty directory and make it an encryption zone using the key created above:
    sudo -u hdfs hadoop fs -mkdir /warehouse/finance/
    sudo -u hdfs hdfs crypto -createZone -keyName finance -path /warehouse/finance/
  3. You can verify creation of the new encryption zone by running the -listZones command. You should see the encryption zone along with its key listed as follows:
    sudo -u hdfs hdfs crypto -listZones
    /warehouse/finance/ finance

In this case we create a general encryption zone for all financially sensitive information that will be stored on the cluster. Other encryption zones exist for other data classifications.