Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BF62E200CED for ; Fri, 18 Aug 2017 19:55:44 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BDD9F16D23E; Fri, 18 Aug 2017 17:55:44 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0D46616D23D for ; Fri, 18 Aug 2017 19:55:43 +0200 (CEST) Received: (qmail 1221 invoked by uid 500); 18 Aug 2017 17:55:42 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 1210 invoked by uid 99); 18 Aug 2017 17:55:42 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Aug 2017 17:55:42 +0000 Received: from hw10447.local (unknown [167.102.188.146]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 3411E1A002B for ; Fri, 18 Aug 2017 17:55:42 +0000 (UTC) Subject: Re: HBase Encryption - HDFS Vs HBase Level To: user@hbase.apache.org References: From: Josh Elser Message-ID: Date: Fri, 18 Aug 2017 13:55:39 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:56.0) Gecko/20100101 Thunderbird/56.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit archived-at: Fri, 18 Aug 2017 17:55:44 -0000 Some specificity (as I still remember it too vividly) https://issues.apache.org/jira/browse/HADOOP-11710 Our Sean got this one fixed for 2.6.1, and would by why using HDFS transparent encryption with 2.6.0 will flat-out not work :) On 8/18/17 1:35 PM, Ted Yu wrote: > Please see the 'Hadoop 2.6.x' bullet under > http://hbase.apache.org/book.html#hadoop > > FYI > > On Fri, Aug 18, 2017 at 10:25 AM, Saad Mufti wrote: > >> Hi, >> >> I'm looking for some guidance as our security team is requiring us to >> implement encryption of our HBase data at rest and in motion. I'm reading >> the docs and doing research and the choice seems to be between doing it at >> the HBase level or the more general HDFS level. >> >> I am leaning towards HDFS level as there is some other data that is derived >> from HBase in HDFS and it would be nice to have that encrypted as well. >> Once set up the encryption is supposed to transparent to clients. We're >> still at HBase 1.0 level, we're using a Cloudera 5.5 based distribution but >> no commercial license. For reasons I won't go into upgrading is not an >> option in the short term and we need to implement encryption before that >> >> But I have a warning in a google groups somewhere (can't find it anymore) >> that warns that HDFS level encryption doesn't play well with HBase if on >> Hadoop 2.6.x, which we're at. Does anyone know the specific issue, or if >> there is a specific ticket I can look at to see if our Hadoop distro >> includes that fix? >> >> Also, out of the box the Key Management Server included in Hadoop is based >> on a simple file based Java Keystore and there are warnings that it is not >> suitable for production environments. Cloudera has their own proprietary >> KMS but we don't have a license to it. Can anyone share what groups that >> use pure open source distros are using as their KMS when implementing >> encryption in production environments? >> >> Thanks in advance for any guidance you can provide. >> >> ---- >> Saad >> >