question Re: Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys in Archives of Support Questions (Read Only)

Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

wfloyd — Thu, 08 Oct 2015 01:55:26 GMT

Customer would like to know if they are able to switch the keys which are stored in the KMS without re-encrypting HDFS data? I believe this may also be referred to as the EEK (Encrypted Encryption Key)?

Documentation here

Re: Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

bdurai — Thu, 08 Oct 2015 04:45:41 GMT

Yes you will be able to rollover the Encryption Zone Key (EZKey). EZKey is used to encrypt the key used to encrypt the data/file. There is one active EZ key per encryption zone. You can rollover the EZKey as needed and new EEK (File Keys) will be encrypted with the new key. However file/data keys encrypted with older keys will not be rekeyed. Since the EZKeys are versioned, older EEK will be decrypted with appropriate version. So everything works seamlessly.

Re: Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

khadeermhmd — Wed, 19 Oct 2016 05:38:38 GMT

I have installed ranger and ranger kms and setup all the configurations and everything is working fine.

I have created encryption zone in hdfs and in the policy i have mentioned two users(user 1 and user 2) to access this encryption zone, they are able to access this encryption zone . I want to set permissions to encryption zone in such a way that user1 should have read and write access and user 2 should have only read access?how can we define this ?