We have installed Ranger KMS and migrated the master key from Ranger KMS Database to HSM.
I have a few doubts here. Would you please help to clarify.
During the HDFS write operation, HDFS client tells the Name Node that it wants to write a file to the EZ, the Name Node requests the KMS to return a EDEK. The KMS does this by generating a unique DEK and DEK will be encrypted using EZK which is present in Ranger database. This EDEK is returned to the NameNode and stored along with the the file’s metadata.
1. How frequently Ranger KMS(EZK) connects to HSM(master key)?
2. What is the load on HSM from Ranger KMS i.e. no. of crypto operations/sec/hour/day?
Whenever, there is a Read/Write operation on HDFS encryption zones, I could see the below methods being invoked in KMS log