Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-1041

Support TDE(Transparent Data Encryption) for Ozone

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 0.4.0
    • Security
    • None

    Description

      Currently ozone saves data unencrypted on datanode, this ticket is opened to support TDE(Transparent Data Encryption) for Ozone to meet the requirement of use cases that need protection of sensitive data.

      The table below summarize the comparison of HDFS TDE and Ozone TDE: 

       

      HDFS Ozone
      Encryption zone created at directory level.
      All files created within the encryption zone will be encryption.
      Encryption enabled at Bucket level.
      All objects created within the encrypted bucket will be encrypted.
      Encryption zone created with ZK(Zone Key) Encrypted Bucket created with BEK(Bucket Encryption Key)
      Per File Encryption  
      • File encrypted with DEK(Data Encryption Key)
      • DEK is encrypted with ZK as EDEK by KMS and persisted as extended attributes.
      Per Object Encryption
      • Object encrypted with DEK(Data Encryption Key)
        * DEK is encrypted with BEK as EDEK by KMS and persisted as object metadata.

       

       

      Attachments

        1. Ozone Encryption At-Rest - V2019.2.7.pdf
          156 kB
          Xiaoyu Yao
        2. Ozone Encryption At-Rest v2019.2.1.pdf
          134 kB
          Xiaoyu Yao
        3. HDDS-1041.004.patch
          88 kB
          Xiaoyu Yao
        4. HDDS-1041.003.patch
          88 kB
          Xiaoyu Yao
        5. HDDS-1041.002.patch
          88 kB
          Xiaoyu Yao
        6. HDDS-1041.001.patch
          88 kB
          Xiaoyu Yao

        Activity

          People

            xyao Xiaoyu Yao
            xyao Xiaoyu Yao
            Votes:
            1 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: