[jira] [Commented] (HDFS-6134) Transparent data at rest encryption

Mon, 23 Jun 2014 16:04:24 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14041449#comment-14041449
 ] 

Sanjay Radia commented on HDFS-6134:
------------------------------------

bq. Vanilla distcp will just work with transparent encryption. Data will be 
decrypted on read and encrypted on write, assuming both source and target are 
in encrypted zones. ...The proposal on changing distcp is to enable a second 
use used case.
Alejandro, Aaron  the  general practice is not to give the admins running 
distcp  access to keys. Hence, as you suggest, we could change distcp so that 
it does not use transparent decryption  by default; however, there may be other 
such backup tools and applications that  customers and other vendors may have 
written and we would be breaking them. This may also break the HAR filesystem.

Aaron, you took on a very strong position that  transparent 
decryption/reencryption is "is exactly what one wants". I am missing this - 
what are the use cases for distcp  where one wants transparent 
decryption/reencryption?

> Transparent data at rest encryption
> -----------------------------------
>
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HDFSDataatRestEncryptionProposal_obsolete.pdf, 
> HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive 
> data at rest must be in encrypted form. For example: the health­care industry 
> (HIPAA regulations), the card payment industry (PCI DSS regulations) or the 
> US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can 
> be used transparently by any application accessing HDFS via Hadoop Filesystem 
> Java API, Hadoop libhdfs C library, or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with 
> different regulation requirements.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to