Enabling HDFS Encryption Using Navigator HSM KMS Backed by Luna HSM

After enabling Kerberos and TLS/SSL on your cluster, you must install the Luna HSM client, the Key Trustee KMS binary, and then add the HSM KMS backed by Luna HSM.

  1. Enable Kerberos.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  2. Enable TLS/SSL.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  3. Install Luna HSM Client.
    Before installing the Navigator HSM KMS backed by Luna HSM, you must install the Luna HSM client on the host. Attempts to install the Navigator HSM KMS backed by Luna HSM before installing the Luna HSM client will fail.

    For details about how to install the Luna HSM client, refer to the Luna HSM product documentation.

  4. Install Parcel for Cloudera Key Providers.
    This step completed automatically when you downloaded the parcel. If the step is incomplete for any reason (such as the wizard being interrupted or a failure installing the parcel), complete it manually:
    1. Click Install Key Trustee KMS binary using packages or parcels.
    2. Select the KEYTRUSTEE parcel to install Key Trustee KMS, or select None if you need to install Key Trustee KMS manually using packages.
      If you do not see a parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list. After selecting a parcel, click Continue.
    3. After the KEYTRUSTEE parcel is successfully downloaded, distributed, unpacked, and activated, click Finish to complete this step and return to the main page of the wizard.
  5. Add the Navigator HSM KMS backed by SafeNet Luna HSM.
    1. Click Add Navigator HSM KMS backed by Safenet Luna HSM.
    2. In the Luna HSM-backed KMS Proxy field, select the hosts to which you want to assign a new or existing role. Click OK, and then click Continue.
    3. To set up the ACL for the cluster, specify a comma-separated list of users and groups, and then click Generate ACLs. Click Continue.
    4. Click Continue.
    5. Review your selections and specify the following:
      • Luna HSM Password: Contact your HSM administrator for the Luna HSM Partition password.
      • Keystore Password:
      • Luna HSM Server Slot: Identification number of the Luna HSM Server slot/device to use. If you do not know what value(s) to enter here, see the Luna product documentation for instructions on configuring your Luna HSM. Alternatively, run the /usr/safenet/lunaclient/bin/vtl verify command on the Luna HSM client host to view the slot value.
      Click Continue.
    6. Upon notification that you have successfully added the Navigator Safenet Luna KMS Service, click Continue and Finish.
  6. Restart stale services and redeploy client configuration.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    This step restarts all services that were modified while enabling HDFS encryption.

    To complete this step:

    1. Click Restart stale services and redeploy client configuration.
    2. Click Restart Stale Services.
    3. Ensure that Re-deploy client configuration is checked, and click Restart Now.
    4. After all commands have completed, click Finish.

  7. Minimum Required Role: Key Administrator or Cluster Administrator
    This step launches a Validate Data Encryption tutorial with instructions describing how to create an encryption zone and place data into it to verify that HDFS encryption is enabled and working.