Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

Solved Go to solution

Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

Contributor

Customer would like to know if they are able to switch the keys which are stored in the KMS without re-encrypting HDFS data? I believe this may also be referred to as the EEK (Encrypted Encryption Key)?

Documentation here

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

Contributor

Yes you will be able to rollover the Encryption Zone Key (EZKey). EZKey is used to encrypt the key used to encrypt the data/file. There is one active EZ key per encryption zone. You can rollover the EZKey as needed and new EEK (File Keys) will be encrypted with the new key. However file/data keys encrypted with older keys will not be rekeyed. Since the EZKeys are versioned, older EEK will be decrypted with appropriate version. So everything works seamlessly.

2 REPLIES 2

Re: Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

Contributor

Yes you will be able to rollover the Encryption Zone Key (EZKey). EZKey is used to encrypt the key used to encrypt the data/file. There is one active EZ key per encryption zone. You can rollover the EZKey as needed and new EEK (File Keys) will be encrypted with the new key. However file/data keys encrypted with older keys will not be rekeyed. Since the EZKeys are versioned, older EEK will be decrypted with appropriate version. So everything works seamlessly.

Re: Ranger KMS for HDFS Transparent Data Encryption: Switching KMS Keys

New Contributor

I have installed ranger and ranger kms and setup all the configurations and everything is working fine.

I have created encryption zone in hdfs and in the policy i have mentioned two users(user 1 and user 2) to access this encryption zone, they are able to access this encryption zone . I want to set permissions to encryption zone in such a way that user1 should have read and write access and user 2 should have only read access?how can we define this ?

Don't have an account?
Coming from Hortonworks? Activate your account here