Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS ranger_masterkey usage

Highlighted

Ranger KMS ranger_masterkey usage

New Contributor

How are the ranger master keys stored inside ranger_masterkey table used in RangerKMS? Any documentation explaining this? Do they have any connection with the ZEKs in Ranger KMS?

3 REPLIES 3

Re: Ranger KMS ranger_masterkey usage

Community Manager

The above was originally posted in the Community Help Track. On Tue May 21 13:30:47 UTC 2019, a member of the HCC moderation staff moved it to the Security track. The Community Help Track is intended for questions about using the HCC site itself.

Re: Ranger KMS ranger_masterkey usage

Guru

Hello @Ranjandas Athiyanathum Poyil,

Ranger KMS Master key is used to encrypt the EZK (Encryption Zone Key). This can be stored in either Ranger DB or in HSM(Hardware Security Module). This diagram (although it is in context of HSM) will help you understand the flow of information.

Hope this helps!

Re: Ranger KMS ranger_masterkey usage

New Contributor

Thank you @Vipin Rathor. Currently, I am trying to export a few EZK's to another Ranger KMS instance(on a different cluster). I found the exportKeysToJCEKS.sh from Ranger KMS scripts which has the downside that it exports all the EZK's to a JCEKS keystore.


I have the following questions:

  • Are the exported keys in the JCEKS keystore still encrypted with the Master Key
  • To import these into the target Ranger KMS instance should the Master Key be same on both
  • What's the best way to sync keys selectively between RangerKMS instances

Another question again from the rangerkms db is regarding the records in ranger_keystore table. Why are two similar records there for every EZK (one with cipher AES and the other with AES/CTR/NoPadding and ending with <keyname>@0).

Thank you in advance.