[jira] [Commented] (HDFS-9644) Update encryption documentation to reflect nested EZs

Wed, 10 Feb 2016 14:43:22 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-9644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141856#comment-15141856
 ] 

Zhe Zhang commented on HDFS-9644:
---------------------------------

{code}
 For transparent encryption, we introduce a new abstraction to HDFS: the 
*encryption zone*. An encryption zone is a special directory whose contents 
will be transparently encrypted upon write and transparently decrypted upon 
read. Each encryption zone is associated with a single *encryption zone key* 
which is specified when the zone is created. Each file within an encryption 
zone has its own unique *data encryption key (DEK)*. DEKs are never handled 
directly by HDFS. Instead, HDFS only ever handles an *encrypted data encryption 
key (EDEK)*. Clients decrypt an EDEK, and then use the subsequent DEK to read 
and write data. HDFS datanodes simply see a stream of encrypted bytes.
 
+A very important use case of encryption is to "switch it on" and ensure all 
files across the entire filesystem are encrypted. To support this strong 
guarantee without losing the flexibility of using different encryption zone 
keys in different parts of the filesystem, HDFS allows *nested encryption 
zones*. After an encryption zone is created (e.g. on the root directory `/`), a 
user can create more encryption zones on its descendant directories (e.g. 
`/home/alice`) with different keys. The EDEK of a file will generated using the 
encryption zone key from the lowest ancestor encryption zone.
{code}

I plan to add the above (second paragraph in the snippet) to 
{{TransparentEncryption.md}}. [~andrew.wang] Could you take a look? I don't 
think anywhere else in the doc needs update -- move validity is not talked 
about anyway. Should we add a section for Trash support?

> Update encryption documentation to reflect nested EZs
> -----------------------------------------------------
>
>                 Key: HDFS-9644
>                 URL: https://issues.apache.org/jira/browse/HDFS-9644
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: documentation, encryption
>    Affects Versions: 2.7.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to