Support Questions

Find answers, ask questions, and share your expertise

Ranger KMS ranger_masterkey usage

New Contributor

How are the ranger master keys stored inside ranger_masterkey table used in RangerKMS? Any documentation explaining this? Do they have any connection with the ZEKs in Ranger KMS?


The above was originally posted in the Community Help Track. On Tue May 21 13:30:47 UTC 2019, a member of the HCC moderation staff moved it to the Security track. The Community Help Track is intended for questions about using the HCC site itself.

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.


Hello @Ranjandas Athiyanathum Poyil,

Ranger KMS Master key is used to encrypt the EZK (Encryption Zone Key). This can be stored in either Ranger DB or in HSM(Hardware Security Module). This diagram (although it is in context of HSM) will help you understand the flow of information.

Hope this helps!

New Contributor

Thank you @Vipin Rathor. Currently, I am trying to export a few EZK's to another Ranger KMS instance(on a different cluster). I found the from Ranger KMS scripts which has the downside that it exports all the EZK's to a JCEKS keystore.

I have the following questions:

  • Are the exported keys in the JCEKS keystore still encrypted with the Master Key
  • To import these into the target Ranger KMS instance should the Master Key be same on both
  • What's the best way to sync keys selectively between RangerKMS instances

Another question again from the rangerkms db is regarding the records in ranger_keystore table. Why are two similar records there for every EZK (one with cipher AES and the other with AES/CTR/NoPadding and ending with <keyname>@0).

Thank you in advance.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.