Re: Key Rotation in Data-at-Rest Encryption

Apologize if I wasn't clear > Is the EZ key version same as an alias for the key? yup > the EDEK along with the EZ key version is stored in the FIleInfo FileInfo contains both EDEK and EZ key version. The FileInfo (you can look at the *org.apache.hadoop.fs.FileEncryptionInfo* class for more info)

Re: Key Rotation in Data-at-Rest Encryption

Hi Arun, Thanks for your response. Could you explain this a bit further for me Is the EZ key version same as an alias for the key? The EDEK is stored in the extended attributes of the file and the EZkey Version is stored in the FileInfo why is the EZKey Version not stored in the extended attr

Re: Key Rotation in Data-at-Rest Encryption

Hello Sitaraman, It is the EZ key "version" that is used to generate the EDEK (and which is ultimately stored in the encrypted file's extended attributes '*raw.hdfs.crypto.encryption.info *'), not really the the EZ key itself (which is stored in the director

Key Rotation in Data-at-Rest Encryption

HDFSDataatRestEncryption.pdf says the following about key rotation..(please see appended below at the end of the mail) If the existing files do not have their EDEKs reencrypted using the new ezkeyid, how would the existing files be decrypted? That is where is the mapping between files and its EZKey