https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/39187#M2501 <P>Hi,</P><P>&nbsp;</P><P>Encryption at rest is used for protecting your data from an unauthorized user who has no read permission in hdfs&nbsp;or has no access to cluster and is trying to read it from the disk directly.&nbsp;</P><P>&nbsp;</P><P>In your example the directory&nbsp;<SPAN>/</SPAN>tmp<SPAN>/user1zone1</SPAN> has read access for all cluster users and hence user2 is allowed to read from it.&nbsp;</P><P><SPAN>drwxr-xr-x - user1 supergroup 0 2016-02-10 02:42 /tmp/user1zone1</SPAN></P> Wed, 30 Mar 2016 19:09:56 GMT venkatsambath 2016-03-30T19:09:56Z https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/36860#M2496 <P>I am new to HDFS Transparent encryption feature.</P><P><BR />I am using cloudera CDH 5.4.9 and trying to use hdfs encryption in following manner.<BR /># I am using Java KeyStore and configured KMS service and integrated HDFS to use this JAVA KMS<BR /># Create two users<BR />useradd -m user1<BR />passwd user1<BR />useradd -m user2<BR />passwd user2</P><P># As a user1 perform following operations<BR /># Create key and create user1 encryption zone<BR /># link user1 zone to created key<BR />su user1<BR />hadoop key create user1key1<BR />hadoop fs -mkdir /tmp/user1zone1<BR />su hdfs<BR />hdfs crypto -createZone -keyName user1key1 -path /tmp/user1zone1</P><P># verify zone is created<BR />hdfs crypto -listZones</P><P># create file with user1 credential and put into user1 encryption zone<BR />echo "Hello World" &gt; /tmp/helloWorld.txt<BR />hadoop fs -put /tmp/helloWorld.txt /tmp/user1zone1<BR />hadoop fs -cat /tmp/user1zone1/helloWorld.txt<BR />Hello World</P><P># Verify if file is encrypted<BR />su hdfs<BR />hadoop fs -cat /.reserved/raw/tmp/zone1/helloWorld.txt<BR />T▒▒6▒5▒▒7̼[</P><P># Now login as another user<BR />su user2<BR />hadoop fs -cat /tmp/user1zone1/helloWorld.txt<BR />Hello World<BR /><BR /><BR />If encryption zone was created by user1 then how another user2 is able to view the encrypted data.<BR />I might be missing something very basic here.<BR /><BR />Can anyone shed some light on this?</P> Fri, 16 Sep 2022 10:01:06 GMT https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/36860#M2496 vmshah 2022-09-16T10:01:06Z https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37172#M2497 <P>First of all both users are accessing the file because u may not have set the permissions of both the users accordingly to access that file. Dont get confused with Encryption and permission. Question you asked is something related to file level permissions and encryption has lot more use cases compare to permissions.</P><P>&nbsp;</P><P>When creating a new file in an encryption zone, the NameNode asks the KMS to generate a new EDEK encrypted with the encryption zone’s key. The EDEK is then stored persistently as part of the file’s metadata on the NameNode.</P><P>&nbsp;</P><P>When reading a file within an encryption zone, the NameNode provides the client with the file’s EDEK and the encryption zone key version used to encrypt the EDEK. The client then asks the KMS to decrypt the EDEK, which involves checking that the client has permission to access the encryption zone key version. Assuming that is successful, the client uses the DEK to decrypt the file’s contents.</P><P>&nbsp;</P><P>Hope this clears your question!!!</P> Tue, 09 Feb 2016 04:58:21 GMT https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37172#M2497 naveen1 2016-02-09T04:58:21Z https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37213#M2498 <P>Thanks for the reply.</P><P>&nbsp;</P><P>Confusion i had was because of following question.</P><P>If let's say user1 has put&nbsp;file into encryption zone</P><P>&nbsp;</P><P>hadoop fs -put /tmp/helloWorld.txt /tmp/user1zone1</P><P>drwxr-xr-x - user1 supergroup 0 2016-02-10 02:42 /tmp/user1zone1</P><P>&nbsp;</P><P>now let's say as user2 execute following comand&nbsp;</P><P>hadoop fs -cat /tmp/user1zone1/helloWorld.txt</P><P>&nbsp;</P><P>no matter whatever user i use to read content i am able to read the content of a file.</P><P>&nbsp;</P><P>Should user2&nbsp;able to see original text contents?</P><P>&nbsp;</P> Tue, 09 Feb 2016 21:31:30 GMT https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37213#M2498 vmshah 2016-02-09T21:31:30Z https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37214#M2499 <P>Vmshah,</P><P>&nbsp;</P><P>Do both users belong to the same group?</P><P>&nbsp;</P><P>d(rwx)(r)-x(r)-x -- according to permissions set, here user1 groups and others can read and execute the data.</P><P>&nbsp;</P><P>If you want only user 1 to read, write and execute the data then set the permissions accordingly.(eg: hadoop fs -chmod 700 /tmp/user1zone1/helloWorld.txt )</P> Tue, 09 Feb 2016 21:40:29 GMT https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37214#M2499 naveen1 2016-02-09T21:40:29Z https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37215#M2500 I understand that setting permission will control the read write.<BR /><BR />But then how encryption is useful to prevent other users reading your data.<BR /><BR />I understand if you get block level access to file, user will not be able<BR />to read.<BR /><BR />For security related to other user in the same system seeing encrypted<BR />data, I am not sure if there would be the use case for that or not<BR /> Tue, 09 Feb 2016 21:54:14 GMT https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/37215#M2500 vmshah 2016-02-09T21:54:14Z https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/39187#M2501 <P>Hi,</P><P>&nbsp;</P><P>Encryption at rest is used for protecting your data from an unauthorized user who has no read permission in hdfs&nbsp;or has no access to cluster and is trying to read it from the disk directly.&nbsp;</P><P>&nbsp;</P><P>In your example the directory&nbsp;<SPAN>/</SPAN>tmp<SPAN>/user1zone1</SPAN> has read access for all cluster users and hence user2 is allowed to read from it.&nbsp;</P><P><SPAN>drwxr-xr-x - user1 supergroup 0 2016-02-10 02:42 /tmp/user1zone1</SPAN></P> Wed, 30 Mar 2016 19:09:56 GMT https://community.cloudera.com/t5/Support-Questions/HDFS-encryption-confusion/m-p/39187#M2501 venkatsambath 2016-03-30T19:09:56Z