Data Encryption Mapping within QDS (AWS)¶
The QDS Control Plane denotes all the components except the clusters. Understanding the Qubole Folders in the Default Location on S3 (AWS) provides the list of folders in the account’s default location into which QDS has access to write data. Here is a table that maps the different types of data encryption with QDS Control Plane and Hadoop, Hive, Presto, and Spark engines.
| Type | Filesystem | QDS Account | QDS Control Plane | Hadoop/Hive/Spark Engines | Presto Engine |
|---|---|---|---|---|---|
| Server-side Encryption | S3n | S3n | NA | SSE-S3 | NA |
| S3a | SSE-S3 (via Support) | SSE-KMS (via API) | SSE-S3, SSE-KMS, and SSE-C | NA | |
| PrestoS3Filesystem | NA | NA | NA | SSE-S3 and SSE-KMS | |
| Client-side Encryption | S3a | NA | NA | Supported only on the S3a filesystem | NA |
The expanded form of the supported encryption keys in the above table are:
- SSE-S3: Amazon S3-managed encryption keys
- SSE-KMS: Amazon S3-KMS Managed encryption keys
- SSE-C: Server-Side Encryption with Customer-Provided encryption keys
Note
The encryption keys in Presto have different configuration parameters. For more information, see catalog/hive.properties.
You can enable SSE-S3 on the QDS account only by creating a ticket with the Qubole Support.