HDFS data at rest encryption

HDFS data at rest encryption allows data to be stored in encrypted HDFS directories called encryption zones. All files within an encryption zone are transparently encrypted and decrypted on the client side, meaning decrypted data is never stored in HDFS.

If HDFS data at rest encryption is enabled in your Hadoop cluster, you must enable it for BDD, as well. Verify that your system meets the following requirements:
  • The key trustee KMS and key trustee server are installed and configured in your Hadoop cluster. You should have already done this as part of enabling HDFS data at rest encryption.
  • Kerberos is enabled for both Hadoop and BDD. Note that this isn't required, but is strongly recommended. For more information, see Kerberos.
  • TLS/SSL is enabled for both Hadoop and BDD. Note that this isn't required, but is strongly recommended. For more information, see TLS/SSL.

To enable HDFS data at rest encryption for BDD:

  1. Create an encryption zone in HDFS for your BDD files.
    For instructions, refer to the documentation for your Hadoop distribution.
  2. Grant the bdd user the GENERATE_EEK and DECRYPT_EEK privileges for the encryption and decryption keys.
    You can do this in Cloudera Manager, Ambari, or MCS by adding the following properties to the KMS service's kms-acls.xml file. If you need help locating them, refer to your distribution's documentation. 
    <property>
    <name>key.acl.bdd_key.DECRYPT_EEK</name>
    <value>bdd,hdfs supergroup</value>
    <description>
        ACL for DECRYPT_EEK operations on key 'bdd_key'.
    </description>
</property>
<property>
    <name>key.acl.bdd_key.GENERATE_EEK</name>
    <value>bdd supergroup</value>
    <description>
        ACL for GENERATE_EEK operations on key 'bdd_key'.
    </description>
</property>
    Be sure to replace bdd in the above code with the name of the bdd user and supergroup with the name of the HDFS super users group, which is defined by the dfs.permissions.supergroup configuration parameter.
    Also note that the hdfs user is included in the value of the DECRYPT_EEK property. This is required if you're storing your Dgraph databases on HDFS, but can be omitted otherwise. For more information, see Installing the HDFS NFS Gateway service.