Verifying HDFS encryption
This section describes the steps to verify HDFS encryption on CDP Private Cloud Base with IBM StorageĀ® Scale.
Procedure
- Log in to Ranger GUI as keyadmin.
- In order to create keys, select cm_kms
policy > Edit the policy > add role for a regular
user.You may add more roles as needed. In this example, we use a testuser user as created in Verifying installation.
- Get a Kerberos token for testuser and create a new encryption
key.
# kinit -kt /etc/security/keytabs/testuser.headless.keytab testuser@<Your Realm name> # hadoop key create mykey - Create an empty directory to be created as an encryption zone. Then, designate the
/tmp/myzone directory as an encryption zone.For this purpose, this example uses the hdfs user that is a part of the Hadoop supergroup.
# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs@<Your Realm Name> # hadoop fs -mkdir /tmp/myzone # hadoop fs -chown testuser:testuser /tmp/myzone # hdfs crypto -createZone -keyName mykey -path /tmp/myzone - Log in as testuser and verify the zone.For this test, use an input file (for example, /tmp/helloWorld). Run the following commands:
# kinit -kt /etc/security/keytabs/testuser.headless.keytab testuser@<Your Realm name> # hadoop fs -put /tmp/helloWorld /tmp/myzone/ # hdfs crypto -getFileEncryptionInfo -path /tmp/myzone/helloWorld console output: {cipherSuite: {name: AES/CTR/NoPadding, algorithmBlockSize: 16}, cryptoProtocolVersion: CryptoProtocolVersion{description='Encryption zones', version=1, unknownValue=null}, edek: 2010d301afbd43b58f10737ce4e93b39, iv: ade2293db2bab1a2e337f91361304cb3, keyName: mykey, ezKeyVersionName: mykey@0}