I am going through how to encrypt data at rest on HDFS https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/ch_hdp-security-guide-h....
I have one doubt here:
As while reading the file from HDFS, the namenode passes the EDEK to the client. The client then passes the EEDK to KMS for getting DEK and then gets the blocks of that file from data node and decrypt them using DEK.
So it can be possible that in between somebody sniffs and gets the DEK, which is coming from KMS. And then also sniffs the data blocks coming from data node. Then both can be used to decrypt data by Man in the middle. So how is this taken care of? What type of communication is b/w:
1. KMS and the client.
2. Namenode and the KMS.
so that no one in between can compromise the keys?