Configuring and Using HDFS "Data at Rest" Encryption
After the Ranger KMS has been set up and the NameNode and HDFS clients have been
configured, an HDFS administrator can use the
hadoop key and
crypto command-line tools to create encryption keys and set up new encryption
You should create a separate HDFS Admin user account for HDFS Data at Rest Encryption.
- Create an HDFS encryption zone key that will be used to encrypt the file-level data encryption key for every file in the encryption zone. This key is stored and managed by Ranger KMS.
- Create a new HDFS folder. Specify required permissions, owner, and group for the folder.
- Using the new encryption zone key, designate the folder as an encryption zone.
- Configure client access. The user associated with the client application needs sufficient permission to access encrypted data. In an encryption zone, the user needs file/directory access (through Posix permissions or Ranger access control), as well as access for certain key operations. To set up ACLs for key-related operations, see “Ranger KMS Administration”.