Managing Encryption Keys and Zones
Interacting with the KMS and creating encryption zones requires the use of two CLI
commands: hadoop key
and hdfs crypto
. Before getting started
with creating encryption keys and setting up encryption zones, make sure that your KMS ACLs have
been set up according to best practices.
Validating Hadoop Key Operations Use hadoop key create
to create a test key, and then use hadoop key list
to retrieve the key list.Creating Encryption Zones Once a KMS has been set up and the NameNode and HDFS clients have been correctly configured, use the hadoop key
and hdfs crypto
command-line tools to create encryption keys and set up new encryption zones.Adding Files to an Encryption Zone You can add files to an encryption zone by copying them to the encryption zone using distcp
. Deleting Encryption Zones To remove an encryption zone, delete the encrypted directory.Backing Up Encryption Keys It is very important that you regularly back up your encryption keys. Failure to do so can result in irretrievable loss of encrypted data.Rolling Encryption Keys When you roll an EZ key, you are essentially creating a new version of the key (ezKeyVersionName
). Rolling EZ keys regularly helps enterprises minimize the risk of key exposure. If a malicious attacker were to obtain the EZ key and decrypt encrypted data encryption keys (EDEKs) into DEKs, they could gain the ability to decrypt HDFS files. Rolling an EZ key ensures that all DEKs for newly-created files will be encrypted with the new version of the EZ key. The older EZ key version that the attacker obtained cannot decrypt these EDEKs. Re-encrypting Encrypted Data Encryption Keys (EDEKs) When you re-encrypt an EDEK, you are essentially decrypting the original EDEK created by the DEK, and then re-encrypting it using the new (rolled) version of the EZ key. The file's metadata, which is stored in the NameNode, is then updated with this new EDEK. Re-encryption does not impact the data in the HDFS files or the DEK–the same DEK is still used to decrypt the file, so re-encryption is essentially transparent.