My Oracle Support Banner

How to Enable HDFS Transparent Encryption with Key Trustee Servers Set Up on the BDA on Oracle Big Data Appliance V4.5 and Higher with bdacli (Doc ID 2166648.1)

Last updated on FEBRUARY 07, 2023

Applies to:

Big Data Appliance Integrated Software - Version 4.5.0 and later
Linux x86-64


The document details how to enable/disable HDFS Transparent Encryption with BDA-local Key Trustee Servers set up on the Oracle Big Data Appliance (BDA) V4.5.0 cluster using bdacli.



System administrators and ACS.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Known Issues.
 HDFS Transparent Encryption Frequently Asked Questions
 Do Key Trustee Servers need to be set up in HA mode? Is there any concern setting up a Key Trustee Server in a non-HA mode i.e. only have one Active Key Trustee Server?
 Can the Key Management Service(KMS) be directly started/stoppped using "bdacli enable hdfs_transparent_encryption"?
 Does enabling HDFS Transparent Encryption have an option to install KMS services on an edge node?
 "bdacli enable hdfs_transparent_encryption" will setup Key Trustee Servers on Nodes 1/2 of the BDA cluster, is there a performance impact to that?
 Would there be less of a performance impact if Key Trustee Servers were manually installed on Nodes 3/4 of the BDA cluster?
 Is it ok to manually install the Key Trustee Servers on Nodes 3/4 if that is preferred?
 Are any manual installations of Key Trustee Servers managed by Mammoth?
 What are the recommendations on backing up Key Trustee Servers?
 Is it a good recommendation to place the Key Trustee Servers off the BDA?
 Is it possible to implement BDR between two different BDA clusters where hdfs transparent encryption is enabled?
 Enabling HDFS Transparent Encryption
 Prerequisites - General
 Prerequisites for HDFS Transparent Encryption
 Prerequisites for Key Trustee Server setup if not selecting Mammoth installed BDA-local Key Trustee Servers
 Prerequisites for passwords
 Prerequisites for cluster health
 Enable HDFS Transparent Encryption with bdacli
 Post BDA V4.5 HDFS Transparent Encrypton enable steps
 bdacli getinfo checks
 Verify the Key Trustee KMS service and  Key Trustee Servers are present in Cloudera Manager
 Verify MD5 hash of the private GPG keys on each Key Trustee KMS host is identical
 Troubleshooting HDFS Transparent Encrypton enable
 Disabling  HDFS Transparent Encryption
 Disable HDFS Transparent Encryption with bdacli
 Post BDA V4.5 HDFS Transparent Encryption disable steps

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.