Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Sharing Encryption Keys between clusters (replicating encrypted data)

Solved Go to solution

Sharing Encryption Keys between clusters (replicating encrypted data)

When using Ranger KMS and TDE is it possible to share encryption keys across 2 clusters? The scenario is that we have a Prod and DR cluster. When doing the data replication we'd like to avoid un-encrypting it on Prod, moving it over the wire, and then re-encrypting it when we write to DR. Is this possible?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

*Removed my previous response and adding the link to the article below:

https://community.hortonworks.com/articles/51909/how-to-copy-encrypted-data-between-two-hdp-cluster....

7 REPLIES 7

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

@Eyad Garelnabi This might be useful info, pls check - https://issues.apache.org/jira/browse/RANGER-749

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

Thanks @Sagar Shimpi. I've seen this, but looking it the code it only seems like it's copying the master keys (EK). My understanding is that to un-encrypt a file you would need both, the master key (EK) stored in the DB as well as the file level encryption key (EDEK) which is store in the Name Node. Am I missing something or misunderstanding?

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

New Contributor

Yes. It's possible. Update the same key on both KMS (prod and DR). I am using falcon to copy the data from prod to DR with KMS encryption.

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

*Removed my previous response and adding the link to the article below:

https://community.hortonworks.com/articles/51909/how-to-copy-encrypted-data-between-two-hdp-cluster....

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

Contributor

In the second scenario, is it possible to copy the raw encrypted files from the first to the second cluster ?

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

You would copy the file from "/.reserved/raw/test1/file1.txt" to "/.reserved/raw/test2/file1.txt" while preserving the extended attributes (where the EZEK is saved) using the -px flag.

https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html#Run...

https://issues.apache.org/jira/browse/MAPREDUCE-6007

Re: Sharing Encryption Keys between clusters (replicating encrypted data)

New Contributor

Is the link still working? I receive "Access Denied"...