Encryption Mechanisms Overview
Data at rest and data in transit encryption function at different technology layers of the cluster:
Layer | Description |
---|---|
Application | Applied by the HDFS client software, HDFS Transparent Encryption lets you encrypt
specific folders contained in HDFS. To securely store the required encryption keys,
Cloudera recommends using Cloudera Navigator Key Trustee Server in conjunction with
HDFS encryption. Data stored temporarily on the local filesystem outside HDFS by CDH components (including Impala, MapReduce, YARN, or HBase) can also be encrypted.. |
Operating System | At the Linux OS filesystem layer, encryption can be applied to an entire volume. For example, Cloudera Navigator Encrypt can encrypt data inside and outside HDFS, such as temp/spill files, configuration files, and databases that store metadata associated with a CDH cluster. Cloudera Navigator Encrypt operates as a Linux kernel module, part of the operating system. Navigator Encrypt requires a license for Cloudera Navigator and must be configured to use Navigator Key Trustee Server. |
Network | Network communications between client processes and server processes (HTTP, RPC, or TCP/IP services) can be encrypted using industry-standard TLS/SSL. |
Here are some good starting places for more information about encryption for Cloudera clusters:
- Encrypting data at rest
- Encrypting data in transit