hadoop-hdfs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajesh Kartha <karth...@gmail.com>
Subject Re: Encryption At Rest Question
Date Wed, 25 Feb 2015 04:11:08 GMT
Thank you all for clarifying.

Indeed both the ways 1) via the contents of file block  and 2) looking at
the /.reserved/raw/.. confirms the file is encrypted.


On Tue, Feb 24, 2015 at 6:58 PM, Charles Lamb <clamb@cloudera.com> wrote:

> On 2/24/2015 8:56 PM, Liu, Yi A wrote:
>> The data is decrypted on client side after obtaining DEK from KMS, *not*
>> decrypted by DN.
> My colleague Yi is correct that data is not decrypted by the DN with one
> exception: WebHDFS uses the DN as the proxy and therefore the DN does the
> decryption in that case. HttpFs is recommended instead.
>> Right, currently DEK is better to be protected by https on the wire.
>> If you want to confirm the file is encrypted, one way is to see the
>> content of file blocks.
> Another way is to use the /.reserved/raw prefix on a file. This special
> prefix is only accessible by the hdfs admin. It gives the encrypted (raw)
> bits of a file rather than the decrypted bits. For example, if you have a
> file /ez/myfile, then /.reserved/raw/ez/myfile will yield the encrypted
> bits of the file.
> Charles

View raw message