hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sanjay Radia (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6134) Transparent data at rest encryption
Date Mon, 23 Jun 2014 23:03:26 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14041449#comment-14041449
] 

Sanjay Radia commented on HDFS-6134:
------------------------------------

bq. Vanilla distcp will just work with transparent encryption. Data will be decrypted on read
and encrypted on write, assuming both source and target are in encrypted zones. ...The proposal
on changing distcp is to enable a second use used case.
Alejandro, Aaron  the  general practice is not to give the admins running distcp  access to
keys. Hence, as you suggest, we could change distcp so that it does not use transparent decryption
 by default; however, there may be other such backup tools and applications that  customers
and other vendors may have written and we would be breaking them. This may also break the
HAR filesystem.

Aaron, you took on a very strong position that  transparent decryption/reencryption is "is
exactly what one wants". I am missing this - what are the use cases for distcp  where one
wants transparent decryption/reencryption?

> Transparent data at rest encryption
> -----------------------------------
>
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFSDataatRestEncryptionProposal_obsolete.pdf, HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive data at rest
must be in encrypted form. For example: the health­care industry (HIPAA regulations), the
card payment industry (PCI DSS regulations) or the US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can be used transparently
by any application accessing HDFS via Hadoop Filesystem Java API, Hadoop libhdfs C library,
or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with different regulation
requirements.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message