Transparent Data Encryption

Ozone TDE setup process and usage are very similar to HDFS TDE. The major difference is that Ozone TDE is enabled at Ozone bucket level when a bucket is created.

Setting up the Key Management Server

To use TDE, admin must setup a Key Management Server and provide that URI to Ozone/HDFS. Since Ozone and HDFS can use the same Key Management Server, this configuration can be provided via hdfs-site.xml.

PropertyValue uri.
e.g. kms://http@kms-host:9600/kms

Using Transparent Data Encryption

If this is already configured for your cluster, then you can simply proceed to create the encryption key and enable encrypted buckets.

To create an encrypted bucket, client need to:

  • Create a bucket encryption key with hadoop key CLI, which is similar to how you would use HDFS encryption zones.
  1. hadoop key create encKey

The above command creates an encryption key for the bucket you want to protect. Once the key is created, you can tell Ozone to use that key when you are reading and writing data into a bucket.

  • Assign the encryption key to a bucket.
  1. ozone sh bucket create -k encKey /vol/encryptedBucket

After this command, all data written to the encryptedBucket will be encrypted via the encKey and while reading the clients will talk to Key Management Server and read the key and decrypt it. In other words, the data stored inside Ozone is always encrypted. The fact that data is encrypted at rest will be completely transparent to the clients and end users.