debuglevel
diff --git a/‎docs/big-data-cluster/cluster-manage-notebooks.md‎
Lines changed: 13 additions & 2 deletions b/‎docs/big-data-cluster/cluster-manage-notebooks.md‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎docs/big-data-cluster/encryption-at-rest-concepts-and-configuration.md‎
Lines changed: 37 additions & 21 deletions b/‎docs/big-data-cluster/encryption-at-rest-concepts-and-configuration.md‎
Lines changed: 37 additions & 21 deletions
diff --git a/‎docs/big-data-cluster/encryption-at-rest-hdfs-encryption-zones.md‎
Lines changed: 60 additions & 17 deletions b/‎docs/big-data-cluster/encryption-at-rest-hdfs-encryption-zones.md‎
Lines changed: 60 additions & 17 deletions
diff --git a/‎docs/big-data-cluster/encryption-at-rest-sql-server-tde.md‎
Lines changed: 0 additions & 2 deletions b/‎docs/big-data-cluster/encryption-at-rest-sql-server-tde.md‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎docs/big-data-cluster/release-notes-big-data-cluster.md‎
Lines changed: 10 additions & 4 deletions b/‎docs/big-data-cluster/release-notes-big-data-cluster.md‎
Lines changed: 10 additions & 4 deletions
@@ -26,7 +26,7 @@ Once all dependencies are installed, but **Run all cells** fails, each notebook
 This section contains a set of notebooks useful for installing and uninstalling command-line tools and packages needed to manage SQL Server Big Data Clusters.
 
 |Name |Description |
-|---|---|---|---|
+|---|---|
 |SOP010 - Upgrade a big data cluster|Use this notebook to upgrade a Big Data Cluster using azdata. |
 |SOP012 - Install unixodbc for Mac|Use this notebook when getting errors while using brew install the odbc for SQL Server.|
 |SOP036 - Install kubectl command-line interface|Use this notebook to install kubectl command-line interface regardless your OS.|
@@ -44,13 +44,24 @@ This section contains a set of notebooks useful for installing and uninstalling
 |SOP064 - Uninstall azdata CLI (using package manager)|Use this notebook to uninstall azdata CLI (using package manager).|
 |SOP069 - Install ODBC for SQL Server|Use this notebook to install ODBC driver since some subcommands in azdata require the SQL Server ODBC driver.|
 
+## Encryption at Rest utilities on Big Data Cluster (BDC)
+
+This section contains a set of notebooks useful for managing Encryption at Rest features on BDC.
+
+|Name |Description |
+|---|---|
+|SOP0124 - List Keys for Encryption at Rest|Use this notebook list all HDFS keys.|
+|SOP0128 - Enable HDFS Encryption zones in Big Data Clusters|Use this notebook to enable HDFS Encryption Zones when upgrading to CU8 from CU6 or previous. Not required on new deployments of CU8+ or when upgrading to CU9.|
+|SOP0125 - Delete Key For Encryption at Rest|Use this notebook to delete HDFS encryption zone keys. __Caution!__|
+|SOP0126 - Backup Keys For Encryption at Rest|Use this notebook to backup HDFS encryption zone keys.|
+|SOP0127 - Restore Keys For Encryption at Rest|Use this notebook to restore HDFS encryption zone keys.|
 
 ## Managing Certificates on Big Data Clusters (BDC)
 
 A set of notebooks to run a notebook for managing Certificates on Big Data Clusters.
 
 |Name |Description |
-|---|---|---|---|
+|---|---|
 |CER001 - Generate a Root CA certificate|Generate a Root CA certificate. Consider using one Root CA certificate for all non-production clusters in each environment, as this technique reduces the number of Root CA certificates that need to be uploaded to clients connecting to these clusters. |
 |CER002 - Download existing Root CA certificate|Use this notebook to download a generated Root CA certificate from a cluster.|
 |CER003 - Upload existing Root CA certificate|CER003 - Upload existing Root CA certificate.|
 
@@ -24,9 +24,9 @@ SQL Server Big Data Clusters stores data in the following two locations:
 To be able to transparently encrypt data in SQL Server Big Data Clusters, there are two possible approaches:
 
 * __Volume encryption__. This approach is supported by the Kubernetes platform and is expected as a best practice for Big Data Clusters deployments. This guide does not cover volume encryption. Consult your Kubernetes platform or appliance documentation for guides on how to properly encrypt volumes that will be used for SQL Server Big Data Clusters.
-* __Application level encryption__. This architecture refers to the encryption of data by the application handling the data before it is written to disk. In case the volumes are exposed, an attacker wouldn’t be able to restore data artifacts elsewhere, unless the destination system also has been configured with the same encryption keys. 
+* __Application level encryption__. This architecture refers to the encryption of data by the application handling the data before it is written to disk. In case the volumes are exposed, an attacker wouldn’t be able to restore data artifacts elsewhere, unless the destination system also has been configured with the same encryption keys.
 
-The Encryption at Rest feature set of SQL Server Big Data Clusters supports the core scenario of application level encryption for the SQL Server and HDFS components.
+The __Encryption at Rest feature set of SQL Server Big Data Clusters__ supports the core scenario of __application level encryption__ for the __SQL Server__ and __HDFS__ components.
 
 The following capabilities are provided:
 
@@ -43,9 +43,6 @@ A Controller hosted service responsible for managing keys and certificates for t
 * Hadoop KMS compatibility. It acts as the key management service for HDFS component on BDC.
 * SQL Server TDE certificate management.
 
-The following feature is not supported at this time:
-* *Keys Versioning support*. 
-
 We will reference this service as __BDC KMS__ throughout the rest of this document. Also the term __BDC__ is used to refer to the __SQL Server Big Data Clusters__ computing platform.
 
 ### System-managed keys and certificates
@@ -60,9 +57,9 @@ User provided keys and certificates to be managed by BDC KMS, commonly known as
 
 External key solutions compatible with BDC KMS for external delegation. This capability isn't supported at this time.
 
-## Encryption at rest on SQL Server Big Data Clusters CU8
+## Encryption at rest on SQL Server Big Data Clusters
 
-SQL Server Big Data Clusters CU8 is the initial release of the Encryption at rest feature set. Read this document carefully to completely assess your scenario.
+Read this document carefully to completely assess your scenario.
 
 The feature set introduces the __BDC KMS controller service__ to provide system-managed keys and certificates for data encryption at rest on both SQL Server and HDFS. Those keys and certificates are service-managed and this documentation provides operational guidance on how to interact with the service.
 
@@ -75,7 +72,7 @@ The feature set introduces the __BDC KMS controller service__ to provide system-
 * Master instance BDC provisioned databases and user databases won’t be encrypted automatically. DBAs may use the installed certificate to encrypt any database.
 * Compute pool and storage pool will be automatically encrypted using the system-generated certificate.
 * Data pool encryption, albeit technically possible using T-SQL `EXECUTE AT` commands, is discouraged and unsupported at this time. Using this technique to encrypt data pool databases might not be effective and encryption may not be happening at the desired state. It also creates an incompatible upgrade path towards next releases.
-* There is no certificate rotation at this time. It is supported to decrypt and then encrypt with a new certificate using T-SQL commands if not on HA deployments.
+* SQL Server key rotation is achieved using standard T-SQL administrative commands. Please read [SQL Server Big Data Clusters transparent data encryption (TDE) at rest usage guide](encryption-at-rest-sql-server-tde.md) for complete instructions.
 * Encryption monitoring happens through existing standard SQL Server DMVs for TDE.
 * It is supported to back up and restore a TDE enabled database into the cluster.
 * HA is supported. If a database on the primary instance of SQL Server is encrypted, then all secondary replica of the database will be encrypted as well.
@@ -86,12 +83,20 @@ The feature set introduces the __BDC KMS controller service__ to provide system-
 * A system-generated key will be provisioned in Hadoop KMS. The key name is `securelakekey`. On CU8 the default key is 256-bit and we support 256-bit AES encryption.
 * A default encryption zone will be provisioned using the above system-generated key on a path named `/securelake`.
 * Users can create additional keys and encryption zones using specific instructions provided in this guide. Users will be able to choose the key size of 128, 192, or 256 during key creation.
-* In place key rotation for HDFS is not possible in CU8. As an alternative, the data can be moved from one encryption zone to another using distcp.
+* HDFS Encryption Zones key rotation is achieved using azdata. Please read [SQL Server Big Data Clusters HDFS Encryption Zones usage guide](encryption-at-rest-hdfs-encryption-zones.md) for complete instructions.
 * It's not supported to perform HDFS Tiering mounting on top of an encryption zone.
 
-## Configuration guide
+## Encryption at Rest Administration
+
+The following list contains the administration capabilities for Encryption at Rest
 
-SQL Server Big Data Clusters encryption at rest is a service-managed feature and, depending on your deployment path, may require additional steps.
+* [SQL Server TDE](encryption-at-rest-sql-server-tde.md) management is performed using standard T-SQL commands.
+* [HDFS Encryption Zones](encryption-at-rest-hdfs-encryption-zones.md) and HDFS key management is performed using azdata commands.
+* The following administration features are performed using [Operational Notebooks](cluster-manage-notebooks.md):
+    - HDFS key backup and recover
+    - HDFS key deletion
+
+## Configuration guide
 
 During __new deployments of SQL Server Big Data Clusters__, CU8 onwards, __encryption at rest will be enabled and configured by default__. That means:
 
@@ -101,14 +106,11 @@ During __new deployments of SQL Server Big Data Clusters__, CU8 onwards, __encry
 
 Requirements and default behaviors described in the previous section apply.
 
-If __upgrading your cluster to CU8__, __read carefully the next section__.
+__If performing a new deployment of SQL Server BDC CU8 onwards or upgrading directly to CU9, no additional steps are required__.
 
-### Upgrading to CU8
+### Upgrade scenarios
 
-   > [!CAUTION]
-   > Before upgrading to SQL Server Big Data Clusters CU8 perform a complete backup of your data.
-
-On existing clusters, the upgrade process won't enforce encryption on user data and won't configure HDFS encryption zones. This behavior is by design and the following needs to be considered per component:
+On existing clusters, the upgrade process won't enforce new encryption or re-encryption on user data that was not already encrypted. This behavior is by design and the following needs to be considered per component:
 
 * __SQL Server__
 
@@ -119,17 +121,31 @@ On existing clusters, the upgrade process won't enforce encryption on user data
 * __HDFS__
 
     1. __HDFS__. The upgrade process won't touch HDFS files and folders outside encryption zones.
-    1. __Encryption Zones won't be configured__. The Hadoop KMS component won't be configured to use BDC KMS. In order to configure and enable HDFS encryption zones feature after upgrade follow the next section.
 
-### Enable HDFS encryption zones after upgrade
+### Upgrading to CU9 from CU8 or earlier
+
+No additional steps are required.
+
+### Upgrading to CU8 from CU6 or earlier
+
+   > [!CAUTION]
+   > Before upgrading to SQL Server Big Data Clusters CU8 perform a complete backup of your data.
+
+
+__Encryption Zones won't be configured__. The Hadoop KMS component won't be configured to use BDC KMS. In order to configure and enable HDFS encryption zones feature after upgrade follow instructions of the next section.
+
+#### Enable HDFS encryption zones after upgrade to CU8
+
+If you upgraded your cluster to CU8 (`azdata upgrade`) and want to enable HDFS encryption zones there are two options available:
 
-Execute the following actions if you upgraded your cluster to CU8 (`azdata upgrade`) and want to enable HDFS encryption zones.
+* Execution of the Azure Data Studio [Operational Notebook](cluster-manage-notebooks.md) named __SOP0128 - Enable HDFS Encryption zones in Big Data Clusters__ to perform the configuration.
+* Script execution as described bellow.
 
 Requirements:
 
 - [Active Directory](active-directory-prerequisites.md) integrated cluster.
 
-- [!INCLUDE [azure-data-cli-azdata](../includes/azure-data-cli-azdata.md)] configured and logged into the cluster in AD mode.
+- [!INCLUDE[azdata](../includes/azure-data-cli-azdata.md)] configured and logged into the cluster in AD mode.
 
 Follow the following procedure to reconfigure the cluster with encryption zones support.
 
 
@@ -15,49 +15,92 @@ ms.technology: big-data-cluster
 
 [!INCLUDE[SQL Server 2019](../includes/applies-to-version/sqlserver2019.md)]
 
-This guide demonstrates how to use Encryption at Rest capabilities of SQL Server Big Data Clusters to encrypt HDFS folders using Encryption Zones.
+This guide demonstrates how to use Encryption at Rest capabilities of SQL Server Big Data Clusters to encrypt HDFS folders using Encryption Zones. It also covers HDFS key management tasks.
 
-Note that there is already a default encryption zone mounted at __```/securelake```__ ready to be used. It was created with a system generated 256-bit key named __securelakekey__. This key can be used to create additional encryption zones.
+Note that there is a default encryption zone mounted at __```/securelake```__ ready to be used. It was created with a system generated 256-bit key named __securelakekey__. This key can be used to create additional encryption zones.
 
 ## <a id="prereqs"></a> Prerequisites
 
-- [SQL Server Big Data Cluster CU8+](release-notes-big-data-cluster.md) with Active Directory Integration.
+- [SQL Server Big Data Cluster CU8+](release-notes-big-data-cluster.md) with [Active Directory](active-directory-prerequisites.md) Integration.
 - User with administrative privileges.
-
-## Login into the name node
-
-Use [Active Directory connection instructions](active-directory-connect.md) to perform cluster login. Log into the namenode (nmnode-0-0) to issue key and encryption zones commands.
-
-   ```console
-   kubectl exec -it -c hadoop -n <cluster_namespace> nmnode-0-0 -- /bin/bash
-   ```
+- [!INCLUDE[azdata](../includes/azure-data-cli-azdata.md)] configured and logged into the cluster in AD mode.
 
 ## Create an encryption zone using the provided system managed key
 
 1. Create a HDFS folder
 
    ```console
-   hdfs dfs -mkdir -p /user/zone/folder
+   azdata bdc hdfs mkdir -p /user/zone/folder
    ```
 
 1. Issue the encryption zone create command to encrypt the folder using the __securelakekey__ key.
 
    ```console
-   hdfs crypto -createZone -keyName securelakekey -path /user/zone/folder
+   azdata bdc hdfs encryption-zone create --path /user/zone/folder --keyname securelakekey
    ```
 
 ## Create a custom new key and encryption zone
 
 1. Use the following pattern to create a 256-bit key.
 
    ```console
-   kinit hdfs
-   hadoop key create mydatalakekey -size 256
+   azdata bdc hdfs key create -n mydatalakekey
    ```
 
 1. Create and encrypt a new HDFS path using the user key.
 
    ```console
-   hdfs dfs -mkdir -p /user/mydatalake
-   hdfs crypto -createZone -keyName mydatalakekey -path /user/mydatalake
+   azdata bdc hdfs encryption-zone create --path /user/mydatalake --keyname mydatalakekey
+   ```
+
+## HDFS Key rotation and encryption zone re-encryption
+
+1. This creates a new version of the __securelakekey__ with new key material.
+
+   ```console
+   azdata hdfs bdc key roll -n securelakekey
+   ```
+
+1. Re-encrypt the encryption zone associated with the key above
+
+   ```console
+   azdata bdc hdfs encryption-zone reencrypt --path /securelake --action start
+   ```
+
+## HDFS Key and encryption zone monitoring
+
+1. To monitor the status of a encryption zone re-encryption 
+
+   ```console
+   azdata bdc hdfs encryption-zone status
    ```
+
+1. To get the encryption information about a file in an encryption zone
+
+   ```console
+   azdata bdc hdfs encryption-zone get-file-encryption-info --path /securelake/data.csv
+   ```
+
+1. Listing all encryption zones
+
+   ```console
+   azdata bdc hdfs encryption-zone list
+   ```
+
+1. To list all the available keys for HDFS
+
+   ```console
+   azdata bdc hdfs key list
+   ```
+
+1. In order to create a custom key for HDFS encryption. Sizes possible are 128, 192 256. Default is 256
+
+   ```console
+   azdata hdfs key create --name key1 --size 256
+   ```
+
+## Next steps
+
+Use azdata with Big Data Clusters, see [What are [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ver15.md)]?](big-data-cluster-overview.md).
+
+Use azdata with [Azure Arc enabled data services](/azure/azure-arc/data/)
@@ -21,8 +21,6 @@ Experience is in general the same as SQL Server on Linux and [standard TDE docum
 
 __Unsupported features:__
 * Data pool encryption
-* Encryption key rotation for databases in a contained availability group in an [HA deployment](deployment-high-availability.md).
-
 
 ## <a id="prereqs"></a> Prerequisites
 
 
@@ -92,8 +92,8 @@ SQL Server 2019 CU9 for SQL Server Big Data Clusters, includes important capabil
 
    Clusters using `mssql-conf` for SQL Server master instance configurations require additional steps after upgrading to CU9. Follow the instructions [here](bdc-upgrade-configuration.md).
 
-- Improved experience for encryption at rest.
-- Ability to install Python packages at Spark job submission time. 
+- Improved [!INCLUDE[azdata](../includes/azure-data-cli-azdata.md)] experience for encryption at rest.
+- Ability to dynamically install Python Spark packages using virtual environments.
 - Upgraded software versions for most of our OSS components (Grafana, Kibana, FluentBit, etc.) to ensure BDC images are up to date with the latest enhancements and fixes. See [Open-source software reference](reference-open-source-software.md).
 - Other miscellaneous improvements and bug fixes.
 
@@ -248,7 +248,7 @@ SQL Server 2019 General Distribution Release 1 (GDR1) - introduces general avail
 
 ### HA SQL Server Database Encryption key encryptor rotation
 
-- **Affected releases**: All big data cluster HA deployments irrespective of the release.
+- **Affected releases**: All version up to CU8. Resolved for CU9.
 
 - **Issue and customer impact**: With SQL Server deployed with HA, the certificate rotation for the encrypted database fails. When the following command is executed on the master pool, an error message will appear:
     ```
@@ -257,7 +257,13 @@ SQL Server 2019 General Distribution Release 1 (GDR1) - introduces general avail
     CERTIFICATE <NewCertificateName>
     ```
     There is no impact, the command fails and the target database encryption is preserved using the previous certificate.
-    
+
+### Enabling HDFS Encryption Zones support on CU8
+
+- **Affected releases**: This scenario surfaces when upgrading specifically to CU8 release from CU6 or previous. This won't happen on new deployments of CU8+ or when upgrading directly to CU9.
+
+- **Issue and customer impact**: HDFS Encryption Zones support is not enabled by default in this scenario and need to be configured using the steps provided in the [configuration guide](encryption-at-rest-concepts-and-configuration.md).
+
 ### Empty Livy jobs before you apply cumulative updates
 
 - **Affected releases**: All version up to CU6. Resolved for CU8.