Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to achieve SSE for Hive over S3 without SSE-S3

How to achieve SSE for Hive over S3 without SSE-S3

Explorer

We need SSE for Hive running over S3, but cannot use SSE-S3 because we cannot have our encryption keys accessible to a third party even if it's Amazon. How can we achieve this?

Ideas:

(1) Ranger using SSE-C would be ideal but Ranger does not support this, and AFAIK there are no immediate plans to correct this shortcoming. Any chance I'm wrong about this?

(2) SSE-KMS has an "envelope key" (CMC) that encrypts the master keys. If we could somehow control just the CMC from within Horton, that would probably be sufficient, as the keys managed by Amazon would be encrypted.

(3) Third party product that would handle key-management and/or encryption. Does anything fill this niche?

Don't have an account?
Coming from Hortonworks? Activate your account here