hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charles Lamb <cl...@cloudera.com>
Subject Re: Encryption At Rest Question
Date Wed, 25 Feb 2015 02:58:15 GMT
On 2/24/2015 8:56 PM, Liu, Yi A wrote:
> The data is decrypted on client side after obtaining DEK from KMS, *not* decrypted by
DN.
My colleague Yi is correct that data is not decrypted by the DN with one 
exception: WebHDFS uses the DN as the proxy and therefore the DN does 
the decryption in that case. HttpFs is recommended instead.
> Right, currently DEK is better to be protected by https on the wire.
>
> If you want to confirm the file is encrypted, one way is to see the content of file blocks.
Another way is to use the /.reserved/raw prefix on a file. This special 
prefix is only accessible by the hdfs admin. It gives the encrypted 
(raw) bits of a file rather than the decrypted bits. For example, if you 
have a file /ez/myfile, then /.reserved/raw/ez/myfile will yield the 
encrypted bits of the file.

Charles


Mime
View raw message