Encryption at rest is the process of encrypting the data stored in the HDFS.
This is a very advanced topic and to create an encryption zone you need to do below steps.
- Enable Kerberos
- Enable TLS/SSL
- Add Java Keystore KMS service (This will act as KTS as well)
In production environment, you need to create a separate cluster for Cloudera Key Trustee service and KMS service.
In my guess, this task is highly unlikely to be asked in the exam as there are lot of high level steps are involved. ( Don’t blame if it’s asked!!! )
So we’d just assume that kerberos/TLS/SSL are setup beforehand in our cluster and directly go over the commands to create an encryption zone.
Go to CM – Cluster drop down – Add service – Select Java Keystore KMS – customize role assignment – finish.
Creating Encryption Zone:
First create an encryption key, which will be used to encrypt a zone (directory).
hadoop key create mykey
Now create an empty directory for the encryption zone.
sudo -u hdfs hdfs dfs -mkdir /encryption_zone_name
To make the directory as encryption zone.
sudo -u hdfs hdfs crypto -createZone -keyName mykey -path /encryption_zone_name
To verify whether the zone is created properly
sudo -u hdfs hdfs crypto -listZones #This will list the encryption zone and keyname which we used to create.
Though this is unlikely to appear, it’s always good to know about the steps involved and how to setup if asked.
Create an encryption key and using that create an encryption zone in /user/test. Kerberos, TLS configuration is already done in the cluster.
Add a javakms service to the cluster and create an encryption zone.
Thus we covered how to Create encrypted zones in HDFS
Use the comments section below to post your doubts, questions and feedback.
Please follow my blog to get notified of more certification related posts, exam tips, etc.