Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How do we change keys for an encrypted zone?

How do we change keys for an encrypted zone?

Contributor

All,

If we need to revoke or change a key for an encrypted zone (i.e. key rolling) do we need to copy all the data (distcp) into a new location, create a new key, and then copy it back?

Regards,

-D

2 REPLIES 2
Highlighted

Re: How do we change keys for an encrypted zone?

Contributor

@devers

AFAIK, the approach you had mentioned is the only way its possible to change keys for an encryption zone with the present implementation of TDE in Hadoop.

Re: How do we change keys for an encrypted zone?

Hi @devers,

You do not need to copy all of the data. You can roll over the keys via the Ranger UI if you are using the Ranger KMS. Take a look at this. Specifically the section for "Rolling Over an Existing Key".

Don't have an account?
Coming from Hortonworks? Activate your account here