Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Sharing Encryption Keys between clusters (replicating encrypted data)

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 02:06 PM

When using Ranger KMS and TDE is it possible to share encryption keys across 2 clusters? The scenario is that we have a Prod and DR cluster. When doing the data replication we'd like to avoid un-encrypting it on Prod, moving it over the wire, and then re-encrypting it when we write to DR. Is this possible?

3,709 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 05:14 PM

*Removed my previous response and adding the link to the article below:

https://community.hortonworks.com/articles/51909/how-to-copy-encrypted-data-between-two-hdp-cluster....

View solution in original post

3,158 Views
0 Kudos
0
7 REPLIES 7

avatar
author-rank sshimpi
Super Guru

Created ‎08-16-2016 02:16 PM

@Eyad Garelnabi This might be useful info, pls check - https://issues.apache.org/jira/browse/RANGER-749

3,158 Views

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 02:24 PM

Thanks @Sagar Shimpi. I've seen this, but looking it the code it only seems like it's copying the master keys (EK). My understanding is that to un-encrypt a file you would need both, the master key (EK) stored in the DB as well as the file level encryption key (EDEK) which is store in the Name Node. Am I missing something or misunderstanding?

3,158 Views
0 Kudos

avatar
author-rank rbaskaran author-rank
Contributor

Created ‎08-16-2016 02:49 PM

Yes. It's possible. Update the same key on both KMS (prod and DR). I am using falcon to copy the data from prod to DR with KMS encryption.

3,158 Views

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 05:14 PM

*Removed my previous response and adding the link to the article below:

https://community.hortonworks.com/articles/51909/how-to-copy-encrypted-data-between-two-hdp-cluster....

3,159 Views
0 Kudos
0

avatar
author-rank jpp author-rank
Rising Star

Created ‎08-16-2016 06:56 PM

In the second scenario, is it possible to copy the raw encrypted files from the first to the second cluster ?

3,158 Views
0 Kudos

avatar
author-rank egarelnabi
Guru

Created ‎08-16-2016 07:25 PM

You would copy the file from "/.reserved/raw/test1/file1.txt" to "/.reserved/raw/test2/file1.txt" while preserving the extended attributes (where the EZEK is saved) using the -px flag.

https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html#Run...

https://issues.apache.org/jira/browse/MAPREDUCE-6007

3,158 Views
0 Kudos

avatar
author-rank alpanchino
New Contributor

Created ‎04-10-2019 04:03 PM

Is the link still working? I receive "Access Denied"...

3,158 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements