crypto

For more information on the crypto command-line interface, see HDFS Transparent Encryption Documentation.

The usage is as follows:

$ hdfs crypto -createZone -keyName <keyName> -path <path>
$ hdfs crypto -listZones
$ hdfs crypto -provisionTrash -path <path>
$ hdfs crypto -help <command-name>

сreateZone

Creates a new encryption zone.

[-createZone -keyName <keyName> -path <path>]
Arguments

path

The path of the encryption zone to create. It must be an empty directory. A trash directory is provisioned under this path

keyName

Name of the key to use for the encryption zone. Uppercase key names are unsupported

listZones

Lists all encryption zones. Requires superuser permissions.

[-listZones]

provisionTrash

Provision a trash directory for an encryption zone.

[-provisionTrash -path <path>]
Arguments

path

The path to the root of the encryption zone

getFileEncryptionInfo

Gets encryption information from a file. This can be used to find whether a file is being encrypted, and the key name/key version used to encrypt it.

[-getFileEncryptionInfo -path <path>]
Arguments

path

The path of the file to get encryption information

reencryptZone

Re-encrypts an encryption zone by iterating through the encryption zone and calls the KeyProvider’s reencryptEncryptedKeys interface to batch-re-encrypt all files with the latest version encryption zone key in the key provider. Requires superuser permissions.

[-reencryptZone <action> -path <zone>]
NOTE

The re-encryption does not apply to snapshots, due to snapshots immutable nature.

Arguments

action

The re-encrypt action to perform. Must be either -start or -cancel

path

The path to the root of the encryption zone

Re-encryption is a NameNode-only operation in HDFS, so could potentially put intensive load to the NameNode. The following configurations can be changed to control the stress on the NameNode, depending on the acceptable throughput impact to the cluster.

dfs.namenode.reencrypt.batch.size

The number of EDEKs in a batch to be sent to the KMS for re-encryption. Each batch is processed when holding the name system read/write lock, with throttling happening between batches. See configs below

dfs.namenode.reencrypt.throttle.limit.handler.ratio

The ratio of read locks to be held during re-encryption. 1.0 means no throttling. 0.5 means re-encryption can hold the readlock at most 50% of its total processing time. Negative value or 0 are invalid

dfs.namenode.reencrypt.throttle.limit.updater.ratio

The ratio of write locks to be held during re-encryption. 1.0 means no throttling. 0.5 means re-encryption can hold the writelock at most 50% of its total processing time. Negative value or 0 are invalid

listReencryptionStatus

List re-encryption information for all encryption zones. Requires superuser permissions.

[-listReencryptionStatus]
Found a mistake? Seleсt text and press Ctrl+Enter to report it