Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Sharing Encryption Keys between clusters (replicating encrypted data)

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 02:06 PM

When using Ranger KMS and TDE is it possible to share encryption keys across 2 clusters? The scenario is that we have a Prod and DR cluster. When doing the data replication we'd like to avoid un-encrypting it on Prod, moving it over the wire, and then re-encrypting it when we write to DR. Is this possible?

3,224 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 05:14 PM

*Removed my previous response and adding the link to the article below:

https://community.hortonworks.com/articles/51909/how-to-copy-encrypted-data-between-two-hdp-cluster....

View solution in original post

2,673 Views
0 Kudos
7 REPLIES 7

avatar
author-rank sshimpi
Super Guru

Created ‎08-16-2016 02:16 PM

@Eyad Garelnabi This might be useful info, pls check - https://issues.apache.org/jira/browse/RANGER-749

2,673 Views

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 02:24 PM

Thanks @Sagar Shimpi. I've seen this, but looking it the code it only seems like it's copying the master keys (EK). My understanding is that to un-encrypt a file you would need both, the master key (EK) stored in the DB as well as the file level encryption key (EDEK) which is store in the Name Node. Am I missing something or misunderstanding?

2,673 Views
0 Kudos

avatar
author-rank rbaskaran author-rank
Contributor

Created ‎08-16-2016 02:49 PM

Yes. It's possible. Update the same key on both KMS (prod and DR). I am using falcon to copy the data from prod to DR with KMS encryption.

2,673 Views

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 05:14 PM

*Removed my previous response and adding the link to the article below:

https://community.hortonworks.com/articles/51909/how-to-copy-encrypted-data-between-two-hdp-cluster....

2,674 Views
0 Kudos

avatar
author-rank jpp author-rank
Rising Star

Created ‎08-16-2016 06:56 PM

In the second scenario, is it possible to copy the raw encrypted files from the first to the second cluster ?

2,673 Views
0 Kudos

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 07:25 PM

You would copy the file from "/.reserved/raw/test1/file1.txt" to "/.reserved/raw/test2/file1.txt" while preserving the extended attributes (where the EZEK is saved) using the -px flag.

https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html#Run...

https://issues.apache.org/jira/browse/MAPREDUCE-6007

2,673 Views
0 Kudos

avatar
author-rank alpanchino
New Contributor

Created ‎04-10-2019 04:03 PM

Is the link still working? I receive "Access Denied"...

2,673 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements