Create encrypted zones in HDFS

Encryption at rest is the process of encrypting the data stored in the HDFS.

This is a very advanced topic and to create an encryption zone you need to do below steps.

  • Enable Kerberos
  • Enable TLS/SSL
  • Add Java Keystore KMS service (This will act as KTS as well)

In production environment, you need to create a separate cluster for Cloudera Key Trustee service and KMS service.

 

In my guess, this task is highly unlikely to be asked in the exam as there are lot of high level steps are involved.  ( Don’t blame if it’s asked!!! )

So we’d just assume that kerberos/TLS/SSL are setup beforehand in our cluster and directly go over the commands to create an encryption zone.

Go to CM – Cluster drop down – Add service – Select Java Keystore KMS – customize role assignment – finish.

Creating Encryption Zone:

First create an encryption key, which will be used to encrypt a zone (directory).

hadoop key create mykey

Now create an empty directory for the encryption zone.

sudo -u hdfs hdfs dfs -mkdir /encryption_zone_name

To make the directory as encryption zone.

sudo -u hdfs hdfs crypto -createZone -keyName mykey -path /encryption_zone_name

To verify whether the zone is created properly

sudo -u hdfs hdfs crypto -listZones

#This will list the encryption zone and keyname which we used to create.

 

Problem Scenario:

Though this is unlikely to appear, it’s always good to know about the steps involved and how to setup if asked.

Create an encryption key and using that create an encryption zone in /user/test. Kerberos, TLS configuration is already done in the cluster.

Add a javakms service to the cluster and create an encryption zone.

Thus we covered how to Create encrypted zones in HDFS


 

Use the comments section below to post your doubts, questions and feedback.

Please follow my blog to get notified of more certification related posts, exam tips, etc.

  1. In the required skil, it has wriiten configure a service using cloudera manager,
    so can you tell me that it ask you to configure any particular service
    and which service has been asked to configure

    1. For configuration, you’d be given a property and ask you to configure it for the service.

      Example, configure the datanode to reserve 5GB of their disk space for non-dfs usage. In this scenario, you’have to modify changes in the HDFS – configuration – search ‘reserve’ and find that relevant property and configure accordingly.

      1. Hiiii,
        Can you pls tell me what kind of practicals scenario is given bcoz it is in new format and i dont know how to practise practically so pls can you give me some of the hints for practising the practicals.

        1. Hi,
          You can practice as per the blueprint topics. Questions will be asked based on that.
          To give you an example, you can expect questions like,
          * Add Hive service to the cluster
          * Configure logs dir for this service
          * Restore a snapshot of the directory
          * Create ACL for this directory etc.,

Leave a Reply

%d bloggers like this: