hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Lamb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6134) Transparent data at rest encryption
Date Thu, 14 Aug 2014 20:48:22 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14097626#comment-14097626

Charles Lamb commented on HDFS-6134:

the EZ master key (EZKey) is only needed for file creation in EZ subtree. After that for reading
or appending to a file, one simple needs the file's individual key. If that is true then one
can copy raw encrypted files and their keys from an EZ to tape, har, tar, etc and then restore
them later and things would just work. Also can one copy raw encrypted files and their keys
from an EZ to another EZ which has a different EZKey and again things would work?

Not exactly. Each file has an EDEK associated with it. That's a key (the DEK) which has been
encrypted with the ez-key. To read the file, you need to turn the EDEK into a DEK by decrypting
the EDEK with the ez-key.

That said, you can still read back tape, har, tar, etc later as long as you still have access
to the ez-key (which presumably you do).

> Transparent data at rest encryption
> -----------------------------------
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Charles Lamb
>         Attachments: HDFS-6134.001.patch, HDFS-6134.002.patch, HDFS-6134_test_plan.pdf,
HDFSDataatRestEncryption.pdf, HDFSDataatRestEncryptionProposal_obsolete.pdf, HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
> Because of privacy and security regulations, for many industries, sensitive data at rest
must be in encrypted form. For example: the health­care industry (HIPAA regulations), the
card payment industry (PCI DSS regulations) or the US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can be used transparently
by any application accessing HDFS via Hadoop Filesystem Java API, Hadoop libhdfs C library,
> The resulting implementation should be able to be used in compliance with different regulation

This message was sent by Atlassian JIRA

View raw message