vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686323783
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
+while in secure mode the user in Kerberos keytab is the proxy user.
Review comment:
Yes, Bharat. I don't have a strong opinion here. Since keytab is used
only for the first time and only access key and secret key will be used to
access the S3G, I used "accessing the S3G".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
