I have a couple of questions about kms. I went through this article Transparent Data Encryption Explained . We are using HDP 2.6.5 with Ranger and Ranger KMS 0.7. We use postgres as a backend db for keys.
1. As far as I understand only DEK and Master Key are stored in postgres db, correct?
2. I deploy the cluster within Ambari blueprints . How can I verify that master key has been deployed/hashed in a proper way?
3. In terms of backup, do we have to backup either EDEK, EZK keys and postgres db? Or is postgresdb enough?
-- Master key and EZK are stored in DB.
-- If keys can be created and encryption zones can be setup successfully that is an indication.
-- Postgres DB backup is a recommended way to backup keys stored in DB.
*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.
What do you mean by EZK? Encryption Zone key or Enterprise Zone Key?
As long as I can generate new keys and created encryption zones everything works fine but is it possible to programmatically determine that Master Key and EZKs are correct?
Also, is it possible to encrypt Master Key within Service Master Key and password?
EZK ==> Encryption Zone Key. Keys generated by users to encrypt encryption zones are EZKs.
Not sure what you are asking below.
>> is it possible to programmatically determine that Master Key and EZKs are correct
>> is it possible to encrypt Master Key within Service Master Key and password?