Appendix C: Transparent encryption reference

To configure transparent encryption, use the following Amazon EMR configuration JSON:


[{"classification":"hdfs-encryption-
zones","properties":{"/user/hbase":"hbase-key"}}]

In addition to the preceding classification, you must disable HDFS Opensource Security. By default, Amazon EMR security configurations for at-rest encryption for local disks tie open-source HDFS encryption with LUKs encryption.

If you need to configure transparent encryption and your application is latency sensitive, do not enable at-rest encryption via Amazon EMR security configuration. You can configure LUKS via a bootstrap action.

To check that WALs are being encrypted, use the following commands:


sudo –u hdfs hdfs dfs -ls /user/HBase/WAL/ip-xx-xx-x-
xx.ec2.internal,16020,1520373175110
sudo –u hdfs hdfs crypto -getFileEncryptionInfo -path
/user/HBase/WAL/WALs/ip-xx-xx-x-
xx.ec2.internal,16020,1520373175110/ip-xx-xx-x-
xx.ec2.internal%2C16020%2C1520373175110.1520373184129

To verify that the old WALs are being encrypted, the output to the last command should be the following:


{cipherSuite: {name: AES/CTR/NoPadding, algorithmBlockSize: 16},
cryptoProtocolVersion:
CryptoProtocolVersion{description='Encryption zones', version=2,
unknownValue=null}, edek:
7c3c2fcf8337f14bbf815697686de5a696c6670c0f41eb71678b53ee5326c33e
, iv: eac6cf91bdd2eee8496f1ddb19b4fcf8, keyName: HBase-key,
ezKeyVersionName: hbase-key@0}

Note

The default configurations grant access to the DECRYPT_EEK operation on all keys (/etc/hadoop-kms/conf/kms-acls.xml).

For more details, see Transparent Encryption in HDFS on Amazon EMR and Transparent Encryption in HDFS.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Appendix B: AWS IAM policy reference

Notices