Support Questions

Find answers, ask questions, and share your expertise

HDFS KMS encryption on the existing hdfs directory

avatar
Rising Star

Hi I've checked this procedure in cloudera on how to validate the encryption of my KMS and HDFS

 

Create a zone and link to the key.

su hdfs hdfs crypto -createZone -keyName mykey1 -path /tmp/zone1 Create a file, put it in your zone and ensure the file can be decrypted.

su echo "Hello World" > /tmp/helloWorld.txt

hadoop fs -put /tmp/helloWorld.txt /tmp/zone1

hadoop fs -cat /tmp/zone1/helloWorld.txt rm /tmp/helloWorld.txt

 

Just want to ask, i have an existing hdfs directory there that I want to encrypt, my questions are below:

1. Can I encrypt and existing hdfs directory using this command hdfs crypto -createZone -keyName mykey1 -path /tmp/zone1?

2. if I encrypt the hdfs directory, does the encryption implemented on its sub directories and files under it?

 

 

1 ACCEPTED SOLUTION

avatar
Expert Contributor

You cannot perform an in-place encryption of an existing directory.

You need to create an encryption zone and move data to the encryption zone.

Here's the docs with the procedure.

 

View solution in original post

2 REPLIES 2

avatar
Master Guru

@Mondi I guess yes. The encryption will take place in subdirectories as well. See the blog post.

https://blog.cloudera.com/new-in-cdh-5-3-transparent-encryption-in-hdfs/

 

Though you can just give it a try my making any test file/dir. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Expert Contributor

You cannot perform an in-place encryption of an existing directory.

You need to create an encryption zone and move data to the encryption zone.

Here's the docs with the procedure.