Copy Files from/to an Encryption Zone
To copy existing files into an encryption zone, use a tool like distcp.
Note: for separation of administrative roles,
                    do not use the hdfs user to create encryption zones. Instead,
                    designate another administrative account for creating encryption keys and zones.
                    See Appendix: Creating an HDFS Admin User for
                    more information.
The files will be encrypted using a file-level key generated by the Ranger Key Management Service.
DistCp Considerations
DistCp is commonly used to replicate data between clusters for backup and
                disaster recovery purposes. This operation is typically performed by the cluster
                administrator, via an HDFS superuser account.
To retain this workflow when using HDFS encryption, a new virtual path prefix has
                been introduced, /.reserved/raw/. This virtual path gives super users
                direct access to the underlying encrypted block data in the file system, allowing
                super users to distcp data without requiring access to encryption keys.
                This also avoids the overhead of decrypting and re-encrypting data. The source and
                destination data will be byte-for-byte identical, which would not be true if the
                data were re-encrypted with a new EDEK.
| ![[Warning]](../common/images/admon/warning.png) | Warning | 
|---|---|
| When using  
 This means that if the  Recommendation: To avoid potential mishaps, first create identical encryption zones on the destination cluster. | 
Copying between encrypted and unencrypted locations
By default, distcp compares file system checksums to verify that data was
                successfully copied to the destination.
When copying between an unencrypted and encrypted location, file system checksums
                will not match because the underlying block data is different. In this case, specify
                the -skipcrccheck and -update flags to avoid verifying
                checksums.

