key

Manages keys via the KeyProvider.
For more details on KeyProviders, see Transparent Encryption Guide.

Providers frequently require a password/other secret.
If a provider requires a password and is unable to find one, it uses a default password and emits a warning message that the default password is being used.

If the strict flag is provided, the warning message becomes an error and the command returns immediately with an error status.

NOTE
  • Some KeyProviders (for example, org.apache.hadoop.crypto.key.JavaKeyStoreProvider) don’t support uppercase key names.

  • Some KeyProviders don’t directly execute a key deletion (for example, perform a soft-deleting instead, or delay the actual deletion, to prevent mistake). In such cases, one may encounter errors when creating/deleting a key with the same name after deleting it. Please check the underlying KeyProvider for details.

The usage is as follows:

$ hadoop key <args> [options]
Arguments

create <keyname> [-cipher cipher] [-size size] [-description description] [-attr attribute=value] [-provider provider] [-strict] [-help]

Creates a new key for the name specified by the <keyname> argument within the provider specified by provider.

The strict flag causes the command to fail if the provider uses a default password.
You can specify a cipher with the cipher argument.
The default cipher is currently AES/CTR/NoPadding.
The default keysize is 128.

You may specify the required key length using the size argument.
Arbitrary attributes attribute=value may be specified using the attr argument.
The attr argument may be specified multiple times, once per attribute

roll <keyname> [-provider provider] [-strict] [-help]

Creates a new version for the specified key within the provider indicated using the provider argument.
The strict flag causes the command to fail if the provider uses a default password

delete <keyname> [-provider provider] [-strict] [-f] [-help]

Deletes all versions of the key specified by the <keyname> argument from within the provider specified by provider.
The strict flag causes the command to fail if the provider uses a default password.
The command asks for user confirmation unless f is specified

list [-provider provider] [-strict] [-metadata] [-help]

Displays the key names contained within a particular provider as configured in core-site.xml or specified with the provider argument.
The strict flag causes the command to fail if the provider uses a default password
The metadata argument displays the metadata

check <keyname> [-provider provider] [-strict] [-help]

Checks password of the <keyname> contained within a particular provider as configured in core-site.xml or specified with the provider argument.
The strict flag causes the command to fail if the provider uses a default password

help

Prints the command usage details

Found a mistake? Seleсt text and press Ctrl+Enter to report it