Create an Encryption Zone
How to create an encryption zone when configuring HDFS encryption.
Each encryption zone must be defined using an empty directory and an existing encryption key. An encryption zone cannot be created on top of a directory that already contains data.
Recommendation: use one unique key for each encryption zone.
crypto createZone command to create a new encryption zone. The
-createZone -keyName <keyName> -path <path>
-keyName: specifies the name of the key to use for the encryption zone.
-pathspecifies the path of the encryption zone to be created. It must be an empty directory.
As HDFS administrator, create a new empty directory.
# hdfs dfs -mkdir /zone_encr
Using the encryption key, make the directory an encryption zone.
# hdfs crypto -createZone -keyName key1 -path /zone_encrWhen finished, the NameNode will recognize the folder as an HDFS encryption zone.
To verify creation of the new encryption zone, run the
crypto -listZonescommand as an HDFS administrator:
The following property (in the
hdfs-default.xmlfile) causes listZone requests to be batched. This improves NameNode performance. The property specifies the maximum number of zones that will be returned in a batch.
The default is 100.You should see the encryption zone and its key. For example:
$ hdfs crypto -listZones /zone-encr key1
(Optional) To remove an encryption zone, delete the root directory of the zone. For example:
hdfs dfs -rm -R /zone_encr.