Encryption at rest
The company has a policy of having all Commercially Sensitive data, encrypted at rest, and therefore according to the data classification, the Climate Accounting data will be stored in the Finance encryption zone on the cluster. For the purposes of regulatory reporting the provenance of the data must be assured to the highest corporate standards. Therefore, encryption at rest is mandatory due to regulatory requirements.
Key security documentation
Encryption Zones and Keys
In our example we use finance as the <keyname> and create a specific encryption zone for the needs of the finance department on our shared corporate clusters on hdfs at /warehouse/finance/:
- Create an encryption key for your zone as keyadmin for the user/group
(regardless of the application that will be using the encryption
sudo -u hbase hadoop key create <key_name>
- Create an encryption key for your zone as keyadmin for the user/group (regardless of the application that will be using the encryption zone):
- Create a new empty directory and make it an encryption zone using the key created
sudo -u hdfs hadoop fs -mkdir /warehouse/finance/ sudo -u hdfs hdfs crypto -createZone -keyName finance -path /warehouse/finance/
- You can verify creation of the new encryption zone by running the -listZones command. You
should see the encryption zone along with its key listed as
sudo -u hdfs hdfs crypto -listZones /warehouse/finance/ finance
In this case we create a general encryption zone for all financially sensitive information that will be stored on the cluster. Other encryption zones exist for other data classifications.