Support Questions

hammer75 · ‎09-25-2020

Hi guys,

I'm trying to understand encryptions options on HDFS, and seems that HDFS Transparent Encryption is a good option.

My question is: there is a way to use my own key (BYOK) for the encryption?

There is anyone with the same problem?

Many Thanks

Alessandro

PabitraDas · ‎09-29-2020

Hello @hammer75, currently no document suggests the use of BYOK as a backing Keystore.

Cloudera offers the following two options for enterprise-grade key management:

Cloudera Navigator Key Trustee Server is a key store for managing encryption keys. To integrate with the Navigator Key Trustee Server, Cloudera provides a custom KMS service, Key Trustee KMS.
Hardware security modules (HSM) are third-party appliances that provide the highest level of security for keys. To integrate with a list of supported HSMs, Cloudera provides a custom KMS service, Navigator HSM KMS (see Installing Navigator HSM KMS Backed by Thales HSM and Installing Navigator HSM KMS Backed by Luna HSM).

So HDFS Data At Rest Encryption wizard in Cloudera Manager offers below 4 roots of trust for encryption keys:

BYOK (Bring Your Own Key)