Database Encryption

Prerequisites

The procedure described in this manual depends on the following requirements:

• Apache Ranger™ installation procedure

• Luna Cloud HSM installation procedure (Optional)

Create key for encryption

User permission

To encrypt HBase, it is necessary to add permissions for the user who administers HDFS.

In the browser, access Ranger at http://<host>:6080.

• User: keyadmin

• Password: <password set in the Ranger Admin installation procedure>

When accessing the Ranger KMS Dashboard, click on the repository kmsdev of the KMS, which will redirect to the policies of kmsdev.

Click to edit the policy 1. When redirected, click the + icon inside Allow Conditions and fill it out as follows:

• Select Role: No change

• Select Group: No change

• Select User: hadoop

• Permissions: Decrypt EEK, Generate EEK, Get, Get Keys, Get Metadata

• Delegate Admin: Checked

To test access to the server, run the following commands to list the keys and the key metadata, if a key exists:

The aim of the test is to ensure that access will not be denied, whether a key exists or not.

Create key

Still on the Ranger KMS dashboard, click Encryption and then Key Manager.

In Select Service, choose the repository kmsdev.

To create a key, click Add New Key and fill it out as follows:

• Key Name: hbase

• Cipher: Do not change

• Length: 256

• Description: optional field

• Attributes: Do not change

By clicking save, the key will be created and can be accessed by the server for encryption. To verify, connect to the server with the user who has permission to get key and run the following commands:

Create encryption zone

To encrypt the Hadoop database, it is necessary to create an encryption zone. That way, all data inserted into this zone will be redirected by HDFS to the KMS for encryption or decryption, depending on the request sent and the user's permissions in the KMS.

To create an encryption zone, the path must be empty. Therefore, it is necessary to rename the folder data of HBase and create a folder with the same name.

Then run the following command to set the path /apps/hbase/data as an encryption zone:

The return should be:

To verify, run the command to list the zones:

This command should return the following message:

Where /apps/hbase/data is the encryption zone and hbase is the key.

After defining the encryption zone, copy all the contents of the folder /apps/hbase/data-bkp into the encryption zone /apps/hbase/data.

To verify the encryption operation, start HBase and connect to the HBase Shell, then run the following file read commands:

Inside the encryption zone:

The return should be:

Outside the encryption zone:

The return should be:

To get information about the file encryption, run the following command:

The return should be:

Key rollover procedure

Key Rollover Procedure

To create a key, click Add New Key and fill it out as follows:

To change the encryption key, access the Ranger KMS dashboard and click Encryption and then Key Manager.

In Select Service, choose the repository kmsdev.

On the key used for the encryption zone, on the right side of the screen in Action, click the icon described as Rollover.

When clicking Rollover, you will need to confirm the operation in a pop-up.

After confirming the Rollover, Hadoop will continue using the previous key, but the new key will also be available in the Ranger KMS. For this reason it is not necessary to stop services for this procedure.

To check the availability of the keys and their respective versions, run the following command:

The return should be:

In this return, note that Hadoop is using the key hbase@0, but the key hbase@1 is already available in the KMS.

Re-encryption procedure

The re-encryption procedure can be done while the system is fully operational in two aspects:

The type of encryption

Hadoop uses TDE (transparent data encryption). This type of encryption acts on the database only at the file level, allowing the data to be available to applications without the need for encryption or decryption on every operation.

Encryption information in the file

Each encrypted file has a header or package with the encryption information, including the version of the key used. This information is consulted directly in any encryption procedure.

To re-encrypt the encryption zone after the Rollover of the key, run the following commands:

• To list the encryption zones:

• To re-encrypt the desired zone with the new key:

The return should be a message confirming the re-encryption request:

After the request, Hadoop will start re-encrypting the data with the updated key provided by Ranger KMS.

To check the status of the re-encryption, run the following command:

The return should be a report with the status of the operation:

To verify if the encryption information has been updated in the files, run the command -getFileEncryptionInfo:

If the key change has been successfully performed, the field ezKeyVersionName will reflect the name of the new version: