Currently ozone saves data unencrypted on datanode, this ticket is opened to support TDE(Transparent Data Encryption) for Ozone to meet the requirement of use cases that need protection of sensitive data.
The table below summarize the comparison of HDFS TDE and Ozone TDE:
|Encryption zone created at directory level.
All files created within the encryption zone will be encryption.
|Encryption enabled at Bucket level.
All objects created within the encrypted bucket will be encrypted.
|Encryption zone created with ZK(Zone Key)||Encrypted Bucket created with BEK(Bucket Encryption Key)|
|Per File Encryption
||Per Object Encryption