The above was originally posted in the Community Help Track. On Tue May 21 13:30:47 UTC 2019, a member of the HCC moderation staff moved it to the Security track. The Community Help Track is intended for questions about using the HCC site itself.

Hello @Ranjandas Athiyanathum Poyil,

Ranger KMS Master key is used to encrypt the EZK (Encryption Zone Key). This can be stored in either Ranger DB or in HSM(Hardware Security Module). This diagram (although it is in context of HSM) will help you understand the flow of information.

Hope this helps!

Thank you @Vipin Rathor. Currently, I am trying to export a few EZK's to another Ranger KMS instance(on a different cluster). I found the exportKeysToJCEKS.sh from Ranger KMS scripts which has the downside that it exports all the EZK's to a JCEKS keystore.

I have the following questions:

• Are the exported keys in the JCEKS keystore still encrypted with the Master Key
• To import these into the target Ranger KMS instance should the Master Key be same on both
• What's the best way to sync keys selectively between RangerKMS instances

Another question again from the rangerkms db is regarding the records in ranger_keystore table. Why are two similar records there for every EZK (one with cipher AES and the other with AES/CTR/NoPadding and ending with <keyname>@0).

Thank you in advance.