My Oracle Support Banner

How to Enable HDFS Transparent Encryption with Key Trustee Servers Set Up off the BDA on Oracle Big Data Appliance V4.4 and Higher with bdacli (Doc ID 2111343.1)

Last updated on DECEMBER 04, 2018

Applies to:

Big Data Appliance Integrated Software - Version 4.4.0 and later
Linux x86-64

Purpose

The document details how to enable/disable HDFS Transparent Encryption on Oracle Big Data Appliance (BDA) V4.4.0 and higher using bdacli when the Key Trustee Servers are set up off the BDA.

Carefully review the Cloudera documentation on Managing Encryption Keys and Zones.  Note if you disable HDFS Transparent Encryption you will not be able to access data in encryption zones.

This note is for enabling/disabling HDFS Transparent Encryption for the initial time.  It is not for upgrading an existing implmentation.

Note: This note is based on an example from a BDA V4.4 environment.

Scope

System administrators and ACS.

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
Scope
Details
 Known Issues
 Frequently Asked Questions
 Can the Key Management Service(KMS) be directly started/stoppped using "bdacli enable hdfs_transparent_encryption"?
 Do Key Trustee Servers need to be set up in HA mode? Is there any concern setting up a Key Trustee Server in a non-HA mode i.e. only have one Active Key Trustee Server?
 Enabling HDFS Transparent Encryption
 Prerequisites
 Prerequisites - General
 Prerequisites for HDFS Transparent Encryption
 Prerequisites for Key Trustee Server setup
 Prerequisites for passwords
 Prerequisites for BDA V4.4 with CDH 5.5.2
 Prerequisites for cluster health
 Enable HDFS Transparent Encryption with bdacli
 Post BDA V4.4 HDFS Transparent Encrypton enable steps
 bdacli getinfo checks
 Verify the keytrustee service is present in Cloudera Manager
 Verify the Keytrustee KMS Load Balancer configuration property is empty
 Verify MD5 hash of the private GPG keys on each Key Trustee KMS host is identical
 Create Encryption Zones on HDFS
 Disabling  HDFS Transparent Encryption
 Disable HDFS Transparent Encryption with bdacli
 Post BDA V4.4 HDFS Transparent Encryption disable steps
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.