Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

KMS key roll-over

Highlighted

KMS key roll-over

Contributor

Hi, a quick query on KMS keys.

We are having two encryption zones EZ1 and EZ2. Both of them are created using the same key and material. We use DistCp to transfer data from EZ1 to EZ2. I am trying to understand what happens if the key is rolled-over on EZ1?

For new data written to EZ1 post key roll-over shouldn’t be a problem. However, what happens in the below cases?

  1. What happens to the old data in EZ1 which was encrypted with the old key material and version? Will the client application be able to decrypt the content without any issues?
  2. What happens to the data in EZ2? Should the same key-material need to be used to roll-over the key for EZ2 as well?
  3. Are there any established best practices around key management?
2 REPLIES 2

Re: KMS key roll-over

Contributor

Reading Hadoop TDE documentation answered my first question i.e. KMS maintains key version history and hence shouldnt be a problem when the client decrypts content. It would have the appropriate key version and hence KMS would decrypt using the same.

Looking answers for questions 2 and 3 still.

Re: KMS key roll-over

@Vijaya Narayana Reddy Bhoomi Reddy The data itself is encrypted using the DEK, which is static. When the EZK is rolled, all EDEKs (which are stored in NN metadata) are re-encrypted

1. Therefore, yes, in EZ1 the client application will be able to decrypt the content of old data without any issues. They will have be able to decrypt the new EDEK with the new EZK and therefore get the plaintext DEK to decrypt the file

2. Regarding EZ2, if the same keyname was used for EZ2, then it will be the same as EZ1. The EDEKs associated with files in EZ2 will be re-encrypted as well

3. It is best to periodically roll keys to protect against certain attack vectors, like users collecting keys of files they have access to to later decrypt data (perhaps after being removed from a KMS ACL)

Don't have an account?
Coming from Hortonworks? Activate your account here