Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS ranger_masterkey usage

Ranger KMS ranger_masterkey usage

New Contributor

How are the ranger master keys stored inside ranger_masterkey table used in RangerKMS? Any documentation explaining this? Do they have any connection with the ZEKs in Ranger KMS?


Re: Ranger KMS ranger_masterkey usage

Super Collaborator

The above was originally posted in the Community Help Track. On Tue May 21 13:30:47 UTC 2019, a member of the HCC moderation staff moved it to the Security track. The Community Help Track is intended for questions about using the HCC site itself.

Bill Brooks, Community Manager
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: Ranger KMS ranger_masterkey usage


Hello @Ranjandas Athiyanathum Poyil,

Ranger KMS Master key is used to encrypt the EZK (Encryption Zone Key). This can be stored in either Ranger DB or in HSM(Hardware Security Module). This diagram (although it is in context of HSM) will help you understand the flow of information.

Hope this helps!


Re: Ranger KMS ranger_masterkey usage

New Contributor

Thank you @Vipin Rathor. Currently, I am trying to export a few EZK's to another Ranger KMS instance(on a different cluster). I found the from Ranger KMS scripts which has the downside that it exports all the EZK's to a JCEKS keystore.

I have the following questions:

  • Are the exported keys in the JCEKS keystore still encrypted with the Master Key
  • To import these into the target Ranger KMS instance should the Master Key be same on both
  • What's the best way to sync keys selectively between RangerKMS instances

Another question again from the rangerkms db is regarding the records in ranger_keystore table. Why are two similar records there for every EZK (one with cipher AES and the other with AES/CTR/NoPadding and ending with <keyname>@0).

Thank you in advance.

Don't have an account?
Coming from Hortonworks? Activate your account here