crypto
For more information on the crypto command-line interface, see HDFS Transparent Encryption Documentation.
The usage is as follows:
$ hdfs crypto -createZone -keyName <keyName> -path <path>
$ hdfs crypto -listZones
$ hdfs crypto -provisionTrash -path <path>
$ hdfs crypto -help <command-name>
сreateZone
Creates a new encryption zone.
[-createZone -keyName <keyName> -path <path>]
path |
The path of the encryption zone to create. It must be an empty directory. A trash directory is provisioned under this path |
keyName |
Name of the key to use for the encryption zone. Uppercase key names are unsupported |
provisionTrash
Provision a trash directory for an encryption zone.
[-provisionTrash -path <path>]
path |
The path to the root of the encryption zone |
getFileEncryptionInfo
Gets encryption information from a file. This can be used to find whether a file is being encrypted, and the key name/key version used to encrypt it.
[-getFileEncryptionInfo -path <path>]
path |
The path of the file to get encryption information |
reencryptZone
Re-encrypts an encryption zone by iterating through the encryption zone and calls the KeyProvider’s reencryptEncryptedKeys
interface to batch-re-encrypt all files with the latest version encryption zone key in the key provider.
Requires superuser permissions.
[-reencryptZone <action> -path <zone>]
NOTE
The re-encryption does not apply to snapshots, due to snapshots immutable nature. |
action |
The re-encrypt action to perform.
Must be either |
path |
The path to the root of the encryption zone |
Re-encryption is a NameNode-only operation in HDFS, so could potentially put intensive load to the NameNode. The following configurations can be changed to control the stress on the NameNode, depending on the acceptable throughput impact to the cluster.
dfs.namenode.reencrypt.batch.size |
The number of EDEKs in a batch to be sent to the KMS for re-encryption. Each batch is processed when holding the name system read/write lock, with throttling happening between batches. See configs below |
dfs.namenode.reencrypt.throttle.limit.handler.ratio |
The ratio of read locks to be held during re-encryption.
|
dfs.namenode.reencrypt.throttle.limit.updater.ratio |
The ratio of write locks to be held during re-encryption.
|