Support Questions
Find answers, ask questions, and share your expertise

HDFS KMS encryption on the existing hdfs directory

Solved Go to solution

HDFS KMS encryption on the existing hdfs directory

Explorer

Hi I've checked this procedure in cloudera on how to validate the encryption of my KMS and HDFS

 

Create a zone and link to the key.

su hdfs hdfs crypto -createZone -keyName mykey1 -path /tmp/zone1 Create a file, put it in your zone and ensure the file can be decrypted.

su echo "Hello World" > /tmp/helloWorld.txt

hadoop fs -put /tmp/helloWorld.txt /tmp/zone1

hadoop fs -cat /tmp/zone1/helloWorld.txt rm /tmp/helloWorld.txt

 

Just want to ask, i have an existing hdfs directory there that I want to encrypt, my questions are below:

1. Can I encrypt and existing hdfs directory using this command hdfs crypto -createZone -keyName mykey1 -path /tmp/zone1?

2. if I encrypt the hdfs directory, does the encryption implemented on its sub directories and files under it?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: HDFS KMS encryption on the existing hdfs directory

Rising Star

You cannot perform an in-place encryption of an existing directory.

You need to create an encryption zone and move data to the encryption zone.

Here's the docs with the procedure.

 

View solution in original post

2 REPLIES 2
Highlighted

Re: HDFS KMS encryption on the existing hdfs directory

Master Collaborator

@Mondi I guess yes. The encryption will take place in subdirectories as well. See the blog post.

https://blog.cloudera.com/new-in-cdh-5-3-transparent-encryption-in-hdfs/

 

Though you can just give it a try my making any test file/dir. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Highlighted

Re: HDFS KMS encryption on the existing hdfs directory

Rising Star

You cannot perform an in-place encryption of an existing directory.

You need to create an encryption zone and move data to the encryption zone.

Here's the docs with the procedure.

 

View solution in original post

Don't have an account?