On 2/24/2015 8:56 PM, Liu, Yi A wrote:
The data is decrypted on client side after obtaining DEK from KMS, *not*
decrypted by DN.
My colleague Yi is correct that data is not decrypted by the DN with one
exception: WebHDFS uses the DN as the proxy and therefore the DN does
the decryption in that case. HttpFs is recommended instead.
Right, currently DEK is better to be protected by https on the wire.
If you want to confirm the file is encrypted, one way is to see the content of
file blocks.
Another way is to use the /.reserved/raw prefix on a file. This special
prefix is only accessible by the hdfs admin. It gives the encrypted
(raw) bits of a file rather than the decrypted bits. For example, if you
have a file /ez/myfile, then /.reserved/raw/ez/myfile will yield the
encrypted bits of the file.
Charles
