[jira] [Commented] (HDDS-1041) Support TDE(Transparent Data Encryption) for Ozone

Mon, 04 Feb 2019 09:59:15 -0800 


    [ 
https://issues.apache.org/jira/browse/HDDS-1041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16760062#comment-16760062
 ] 

Wei-Chiu Chuang commented on HDDS-1041:
---------------------------------------

+1 design looks reasonable to me, and it looks like KMS server doesn't require 
modification (or very little).

Don't know much about the client side, but the design looks good to me.

 

On an unrelated note, does ozone support access the raw data? Like the 
/.reserved/raw directory in HDFS. We've seen some use cases that requires 
accessing the raw data. Not sure if those use cases are applicable to Ozone, 
but thought I should bring it up.

> Support TDE(Transparent Data Encryption) for Ozone
> --------------------------------------------------
>
>                 Key: HDDS-1041
>                 URL: https://issues.apache.org/jira/browse/HDDS-1041
>             Project: Hadoop Distributed Data Store
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>            Priority: Major
>         Attachments: Ozone Encryption At-Rest v2019.2.1.pdf
>
>
> Currently ozone saves data unencrypted on datanode, this ticket is opened to 
> support TDE(Transparent Data Encryption) for Ozone to meet the requirement of 
> use cases that need protection of sensitive data.
> The table below summarize the comparison of HDFS TDE and Ozone TDE: 
>  
> |*HDFS*|*Ozone*|
> |Encryption zone created at directory level.
>  All files created within the encryption zone will be encryption.|Encryption 
> enabled at Bucket level.
>  All objects created within the encrypted bucket will be encrypted.|
> |Encryption zone created with ZK(Zone Key)|Encrypted Bucket created with 
> BEK(Bucket Encryption Key)|
> |Per File Encryption  
>  * File encrypted with DEK(Data Encryption Key)
>  * DEK is encrypted with ZK as EDEK by KMS and persisted as extended 
> attributes.|Per Object Encryption
>  * Object encrypted with DEK(Data Encryption Key)
>  * DEK is encrypted with BEK as EDEK by KMS and persisted as object metadata.|
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to