Create an Encryption Key
Create a "master" encryption key for the new encryption zone. Each key will be specific to an encryption zone. You can create a new encryption key via Ranger KMS (recommended) or the CLI.
Ranger supports AES/CTR/NoPadding as the cipher suite. (The associated property is listed under HDFS -> Configs in the Advanced hdfs-site list.)
Key size can be 128 or 256 bits.
Recommendation: create a new superuser for key management. In the following
encr creates the key. This separates the data
access role from the encryption role, strengthening security.
To create an Encryption Key using Ranger KMS (Recommended):
Log in to Ranger as user
- In the Ranger Web UI screen, choose the Encryption tab at the top of the screen.
Select the KMS service from the drop-down list.
- Click on "Add New Key":
- Add a valid key name.
- Select the cipher name. Ranger supports AES/CTR/NoPadding as the cipher suite.
- Specify the key length, 128 or 256 bits.
Add other attributes as needed, and then save the key.
- Log in to Ranger as user
To create an Encryption Key using the CLI:
The full syntax of the hadoop
key createcommand is as follows:
[create <keyname> [-cipher <cipher>] [-size <size>] [-description <description>] [-attr <attribute=value>] [-provider <provider>] [-help]]
# su - encr # hadoop key create <key_name> [-size <number-of-bits>]
The default key size is 128 bits. The optional
-sizeparameter supports 256-bit keys, and requires the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all hosts in the cluster. For installation information, see “Installing the JCE”.
To verify creation of the key, list the metadata associated with the current user:
# su - encr # hadoop key create key1
# hadoop key list -metadata
- The full syntax of the hadoop