Cloudera Docs

Setting Up Data at Rest Encryption for HDFS

This section describes how to enable end-to-end data encryption to and from HDFS using Ranger KMS. Ranger KMS has two deployment models, depending on your organization's requirements for the separation of duties. Cloudera recommends configuring High Availability (HA) to ensure data is always highly available. To learn more about Ranger KMS, see Ranger KMS overview.

Depending on your encryption key root trustee requirements, you can enable HDFS encryption as follows:

  • Ranger Key Management Service Collocated with Data Cluster, which sources the encryption zone keys from a backing database.
  • Ranger Key Management Service Federated Deployment, which has a dedicated security cluster, separated from the data cluster.