Transparent Data Encryption

    To use TDE, admin must setup a Key Management Server and provide that URI to Ozone/HDFS. Since Ozone and HDFS can use the same Key Management Server, this configuration can be provided via hdfs-site.xml.

    If this is already configured for your cluster, then you can simply proceed to create the encryption key and enable encrypted buckets.

    • Create a bucket encryption key with hadoop key CLI, which is similar to how you would use HDFS encryption zones.

    The above command creates an encryption key for the bucket you want to protect. Once the key is created, you can tell Ozone to use that key when you are reading and writing data into a bucket.

    • Assign the encryption key to a bucket.

    After this command, all data written to the encryptedBucket will be encrypted via the encKey and while reading the clients will talk to Key Management Server and read the key and decrypt it. In other words, the data stored inside Ozone is always encrypted. The fact that data is encrypted at rest will be completely transparent to the clients and end users.

    1. Create a bucket using shell under “/s3v” volume

    Note: An encrypted bucket cannot be created via S3 APIs. It must be done using Ozone shell commands as shown above. After creating an encrypted bucket, all the keys added to this bucket using s3g will be encrypted.

    In non-secure mode, the user running the S3Gateway daemon process is the proxy user, while in secure mode the S3Gateway Kerberos principal (ozone.s3g.kerberos.principal) is the proxy user. S3Gateway proxy’s all the users accessing the encrypted buckets to decrypt the key. For this purpose on security enabled cluster, during S3Gateway server startup logins using configured ozone.s3g.kerberos.keytab.file and ozone.s3g.kerberos.principal.

    Next >>