- Notes, cautions, and warnings
- Introduction to this guide
- Overview of HDFS with OneFS
- Configuring OneFS with HDFS
- Activate the HDFS license
- Configuring the HDFS service
- HDFS service settings overview
- Enable or disable the HDFS service globally (Web UI)
- Enable or disable the HDFS service per-access zone (Web UI)
- Enable or disable the HDFS service globally (CLI)
- Enable or disable the HDFS service per-access zone (CLI)
- Configure HDFS service settings (Web UI)
- Configure HDFS service settings (CLI)
- View HDFS settings (Web UI)
- View HDFS settings (CLI)
- Modify HDFS log levels (CLI)
- View HDFS log levels (CLI)
- Set the HDFS root directory (Web UI)
- Set the HDFS root directory (CLI)
- Configuring HDFS authentication methods
- Creating a local Hadoop user
- Enabling the WebHDFS REST API
- Configuring secure impersonation
- Configuring virtual HDFS racks
- Configuring HDFS wire encryption
- Configuring HDFS transparent data encryption
- Additional resources
PowerScale OneFS HDFS Configuration Guide
Configuring HDFS transparent data encryption
If you are using OneFS 8.2.0 or later, you can encrypt in-flight and data at-rest Hadoop datasets between HDFS clients and OneFS through transparent data encryption (TDE). You can enable this feature on all HDFS clients and on OneFS.
HDFS Transparent Data Encryption implements transparent end-to-end encryption. With TDE, the data can only be encrypted and decrypted by the client, and HDFS never stores or has access to unencrypted data or unencrypted data encryption keys.
Transparent data encryption satisfies two typical security, regulatory, and compliance requirements for encryption:
- Data encryption on persistent media, such as on-disk data
- In-transit encryption, for example when data is traveling over the network
How transparent data encryption works
Once configured, data read from and written to configured HDFS directories, called encryption zones, is transparently encrypted and decrypted without requiring changes to user application code. The contents of encryption zones are transparently encrypted upon write and transparently decrypted upon read.
Each encryption zone is associated with a single encryption zone key, which is specified when the zone is created. Each file within an encryption zone has its own unique data encryption key (DEK). Data encryption keys are never handled directly by HDFS. Instead, HDFS only handles an encrypted data encryption key (EDEK). HDFS clients decrypt the EDEK, and then use the subsequent DEK to read and write data. During this transfer, HDFS data nodes simply see a stream of encrypted bytes.
Limitations
- HDFS TDE for OneFS 8.2.0 is limited to HDFS client access only. Note that HDFS TDE is not a multi-protocol feature. Once the data is ingested, it can only be decrypted by the HDFS client.
- Data written to and read from HDFS encryption zones should only be accessed over the HDFS protocol.
- The OneFS web administration interface configuration is not available for Key Management Server (KMS) configuration or for encryption zone management. Encryption zones can only be created using the OneFS command-line interface (CLI). Hadoop command-line tools to create encryption zones are not currently supported in OneFS 8.2.0.
- SyncIQ will not move encryption zones for OneFS 8.2.0.
You can configure TDE using the following command-line interface (CLI) commands:
- isi hdfs crypto encryption-zones create
- isi hdfs crypto settings modify
- isi hdfs crypto settings view
- isi hdfs crypto encryption-zones list
The CLI syntax is described in the HDFS Commands section of this guide.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\