Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger kms key management and verification

Highlighted

Ranger kms key management and verification

Rising Star

I have a couple of questions about kms. I went through this article Transparent Data Encryption Explained . We are using HDP 2.6.5 with Ranger and Ranger KMS 0.7. We use postgres as a backend db for keys.

1. As far as I understand only DEK and Master Key are stored in postgres db, correct?

2. I deploy the cluster within Ambari blueprints . How can I verify that master key has been deployed/hashed in a proper way?

3. In terms of backup, do we have to backup either EDEK, EZK keys and postgres db? Or is postgresdb enough?

Thanks, Andrzej

3 REPLIES 3

Re: Ranger kms key management and verification

-- Master key and EZK are stored in DB.

-- If keys can be created and encryption zones can be setup successfully that is an indication.

-- Postgres DB backup is a recommended way to backup keys stored in DB.

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

Re: Ranger kms key management and verification

Rising Star

What do you mean by EZK? Encryption Zone key or Enterprise Zone Key?

As long as I can generate new keys and created encryption zones everything works fine but is it possible to programmatically determine that Master Key and EZKs are correct?

Also, is it possible to encrypt Master Key within Service Master Key and password?

Thanks,

Andrzej

Re: Ranger kms key management and verification

EZK ==> Encryption Zone Key. Keys generated by users to encrypt encryption zones are EZKs.

Not sure what you are asking below.

>> is it possible to programmatically determine that Master Key and EZKs are correct

>> is it possible to encrypt Master Key within Service Master Key and password?

Don't have an account?
Coming from Hortonworks? Activate your account here