smengcl commented on code in PR #8530: URL: https://github.com/apache/ozone/pull/8530#discussion_r2125020590
########## hadoop-hdds/docs/content/security/SecuringTDE.md: ########## @@ -25,64 +25,80 @@ icon: lock limitations under the License. --> -Ozone TDE setup process and usage are very similar to HDFS TDE. -The major difference is that Ozone TDE is enabled at Ozone bucket level -when a bucket is created. +Ozone Transparent Data Encryption (TDE) enables you to encrypt data at rest. TDE is enabled at the bucket level when a bucket is created. To use TDE, an administrator must first configure a Key Management Server (KMS). Ozone can work with **Hadoop KMS** and **Ranger KMS**. The KMS URI needs to be provided to Ozone via the `core-site.xml` configuration file. -### Setting up the Key Management Server +Once the KMS is configured, users can create an encryption key and then create an encrypted bucket using that key. All data written to an encrypted bucket will be transparently encrypted on the server-side, and data read from the bucket will be transparently decrypted. -To use TDE, admin must setup a Key Management Server and provide that URI to -Ozone/HDFS. Since Ozone and HDFS can use the same Key Management Server, this - configuration can be provided via *core-site.xml*. +### Configuring TDE -Property| Value ------------------------------------|----------------------------------------- -hadoop.security.key.provider.path | KMS uri. <br> e.g. kms://http@kms-host:9600/kms +1. **Set up a Key Management Server (KMS):** + * **Hadoop KMS:** Follow the instructions in the [Hadoop KMS documentation](https://hadoop.apache.org/docs/r3.4.1/hadoop-kms/index.html). + * **Ranger KMS:** Ranger KMS can also be used. For Ranger KMS, encryption keys can be managed via the Ranger KMS management console or its [REST API](https://ranger.apache.org/kms/apidocs/index.html), in addition to the `hadoop key` command line interface. -### Using Transparent Data Encryption -If this is already configured for your cluster, then you can simply proceed -to create the encryption key and enable encrypted buckets. +2. **Configure Ozone:** + Add the following property to Ozone’s `core-site.xml`: -To create an encrypted bucket, client need to: + <property> + <name>hadoop.security.key.provider.path</name> + <value><kms_provider_path></value> + </property> - * Create a bucket encryption key with hadoop key CLI, which is similar to - how you would use HDFS encryption zones. + Replace `<kms_provider_path>` with the actual URI of your KMS. For example, `kms://[email protected]:9600/kms` - ```bash - hadoop key create enckey - ``` - The above command creates an encryption key for the bucket you want to protect. - Once the key is created, you can tell Ozone to use that key when you are - reading and writing data into a bucket. +### Creating an Encryption Key - * Assign the encryption key to a bucket. +Use the `hadoop key create` command to create an encryption key in the configured KMS: - ```bash - ozone sh bucket create -k enckey /vol/encryptedbucket - ``` +```shell + hadoop key create <key_name> [-size <key_bit_length>] [-cipher <cipher_suite>] [-description <description>] +``` + +* `<key_name>`: The name of the encryption key. +* **`-size <key_bit_length>` (Optional):** Specifies the key bit length. Ozone supports **128** (default) and **256** bits. +* **`-cipher <cipher_suite>` (Optional):** Specifies the cipher suite. Currently, only **`AES/CTR/NoPadding`** (the default) is supported. +* `-description <description>` (Optional): A description for the key. + +For example: + +```shell + hadoop key create enckey -size 256 -cipher AES/CTR/NoPadding -description "Encryption key for my_bucket" +``` + +### Creating an Encrypted Bucket + +Use the Ozone shell `ozone sh bucket create` command with the `-k` (or `--key`) option to specify the encryption key: + +```shell + ozone sh bucket create --key <key_name> /<volume_name>/<bucket_name> +``` + +For example: + +```shell + ozone sh bucket create --key enckey /vol1/encrypted_bucket +``` -After this command, all data written to the _encryptedbucket_ will be encrypted -via the enckey and while reading the clients will talk to Key Management -Server and read the key and decrypt it. In other words, the data stored -inside Ozone is always encrypted. The fact that data is encrypted at rest -will be completely transparent to the clients and end users. +Now, all data written to `/vol1/encrypted_bucket` will be encrypted. Review Comment: ```suggestion Now, all data written to `/vol1/encrypted_bucket` will be encrypted at rest. As long as the client is configured correctly to use the key, such encryption is completely transperent to the end users. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
