hadoop-hdfs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajesh Kartha <karth...@gmail.com>
Subject Re: Encryption At Rest Question
Date Wed, 25 Feb 2015 04:11:08 GMT
Thank you all for clarifying.

Indeed both the ways 1) via the contents of file block  and 2) looking at
the /.reserved/raw/.. confirms the file is encrypted.

Regards,
Rajesh


On Tue, Feb 24, 2015 at 6:58 PM, Charles Lamb <clamb@cloudera.com> wrote:

> On 2/24/2015 8:56 PM, Liu, Yi A wrote:
>
>> The data is decrypted on client side after obtaining DEK from KMS, *not*
>> decrypted by DN.
>>
> My colleague Yi is correct that data is not decrypted by the DN with one
> exception: WebHDFS uses the DN as the proxy and therefore the DN does the
> decryption in that case. HttpFs is recommended instead.
>
>> Right, currently DEK is better to be protected by https on the wire.
>>
>> If you want to confirm the file is encrypted, one way is to see the
>> content of file blocks.
>>
> Another way is to use the /.reserved/raw prefix on a file. This special
> prefix is only accessible by the hdfs admin. It gives the encrypted (raw)
> bits of a file rather than the decrypted bits. For example, if you have a
> file /ez/myfile, then /.reserved/raw/ez/myfile will yield the encrypted
> bits of the file.
>
> Charles
>
>

Mime
View raw message