Support Questions
Find answers, ask questions, and share your expertise

How do we change keys for an encrypted zone?

How do we change keys for an encrypted zone?

Contributor

All,

If we need to revoke or change a key for an encrypted zone (i.e. key rolling) do we need to copy all the data (distcp) into a new location, create a new key, and then copy it back?

Regards,

-D

2 REPLIES 2

Re: How do we change keys for an encrypted zone?

Contributor

@devers

AFAIK, the approach you had mentioned is the only way its possible to change keys for an encryption zone with the present implementation of TDE in Hadoop.

Re: How do we change keys for an encrypted zone?

Hi @devers,

You do not need to copy all of the data. You can roll over the keys via the Ranger UI if you are using the Ranger KMS. Take a look at this. Specifically the section for "Rolling Over an Existing Key".