Enabling HDFS Encryption Using Navigator HSM KMS Backed by Thales HSM

After enabling Kerberos and TLS/SSL on your cluster, you must install the Thales HSM client, the Key Trustee KMS binary, and then add the HSM KMS backed by Thales service.

  1. Enable Kerberos.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  2. Enable TLS/SSL.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  3. Install the Thales HSM Client.
    Before installing the Navigator HSM KMS backed by Thales HSM, you must install the Thales HSM client on the host. Attempts to install the HSM KMS service before installing the Thales HSM client will fail.
    For details about how to install the Thales HSM client, refer to the Thales HSM product documentation.
  4. Install Key Trustee KMS binary using parcels.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    This step completes automatically when you download the parcel. If the step is incomplete for any reason (such as the wizard being interrupted or a failure installing the parcel), complete it manually:
    1. Click Install Key Trustee KMS binary using parcels.
    2. Select the KEYTRUSTEE parcel to install Key Trustee KMS, or select None if you need to install Key Trustee KMS manually using packages.
      If you do not see a parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list. After selecting a parcel, click Continue.
    3. After the KEYTRUSTEE parcel is successfully downloaded, distributed, unpacked, and activated, click Finish to complete this step and return to the main page of the wizard.
  5. Add the HSM KMS backed by Thales Service.
    1. Click Add Navigator HSM KMS Services backed by Thales HSM.
    2. In the Thales HSM KMS Proxy field, select the hosts to which you want to assign a new or existing role. Click OK, and then click Continue.
    3. To set up the ACL for the cluster, specify a comma-separated list of users and groups, and then click Generate ACLs.
      Click Continue.
    4. Click Continue.
    5. Review your selections and specify the following:
      • Thales HSM Password

        Contact your HSM administrator for the Thales HSM password.

      • Keystore Password
      Click Continue.
    6. Upon notification that you have successfully added the Thales KMS Service, click Continue and Finish.
  6. Restart stale services and redeploy client configuration.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    This step restarts all services that were modified while enabling HDFS encryption.

    To complete this step:

    1. Click Restart stale services and redeploy client configuration.
    2. Click Restart Stale Services.
    3. Ensure that Re-deploy client configuration is checked, and click Restart Now.
    4. After all commands have completed, click Finish.
  7. Validate Data Encryption.
    Minimum Required Role: Key Administrator or Cluster Administrator
    This step launches a Validate Data Encryption tutorial with instructions describing how to create an encryption zone and place data into it to verify that HDFS encryption is enabled and working.