S3 Data Encryption at Rest¶

The Embedded MPP supports reading and writing encrypted data in S3 using server-side encryption < https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html> with S3 managed keys. For S3 server-side encryption to work, additional configuration is required:

1. At the Embedded MPP cluster

   Add the extra property hive.s3.sse.enabled=true in the values.yaml additionalConfig property of the desired catalog.

2. At Denodo

   • Add this property to hive-metastore/conf/core-site.xml

   <property>
       <name>fs.s3a.encryption.algorithm</name>
       <value>AES256</value>
   </property>
   

   • Add this property to Hadoop properties in the embedded_mpp data source, section Write settings:

   <property>
       <name>fs.s3a.encryption.algorithm</name>
       <value>AES256</value>
   </property>