Installing Cloudera Navigator Encrypt
See Data at Rest Encryption Requirements for more information about encryption and Navigator Encrypt requirements.
Setting Up an Internal Repository
You must create an internal repository to install or upgrade Navigator Encrypt. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Package Repository.
Installing Navigator Encrypt (RHEL-Compatible)
Installing Navigator Encrypt (SLES)
Installing Navigator Encrypt (Ubuntu)
Post Installation
chkconfig
:sudo chkconfig --level 235 navencrypt-mount on
sudo chkconfig --level 235 ntpd on
Setting Up TLS for Navigator Encrypt Clients
[root@navencrypt-1 ~]# service navencrypt-mount stop
Stopping navencrypt directories
* Umounting /dev/nvtest/test1 ... [ OK ]
* Umounting /dev/nvtest/test2 ... [ OK ]
* Unloading module ... [ OK ]
[root@navencrypt-1 ~]# update-ca-trust enable
[root@navencrypt-1 ~]# cp dd-1.lab.usa.company.com.pem /etc/pki/ca-trust/source/anchors/
[root@navencrypt-1 ~]# update-ca-trust
[root@navencrypt-1 ~]# service navencrypt-mount start
Starting navencrypt directories
* Mounting '/dev/nvtest/test1' [ OK ]
* Mounting '/dev/nvtest/test2'
Entropy Requirements
Many cryptographic operations, such as those used with TLS or HDFS encryption, require a sufficient level of system entropy to ensure randomness; likewise, Navigator Encrypt needs a source of random numbers to ensure good performance. Hence, you need to make sure that the hosts running Navigator Encrypt (as well as Key Trustee Server, Key Trustee KMS) and have sufficient entropy to perform cryptographic operations.
You can check the available entropy on a Linux system by running the following command:
cat /proc/sys/kernel/random/entropy_avail
The output displays the entropy currently available. Check the entropy several times to
determine the state of the entropy pool on the system. If the entropy is consistently low
(500 or less), you must increase it by installing rng-tools
version 4 or
higher, and starting the rngd
service.
Install rng_tools Using Package Manager
If version 4 or higher of the rng-tools
package is available from the
local package manager (yum
), then install it directly from the package
manager. If the appropriate version of rng-tools
is unavailable, see
Building rng-tools From Source.
Run the following commands on RHEL 6-compatible systems:
sudo yum install rng-tools
sudo service rngd start
sudo chkconfig rngd on
For RHEL 7, run the following commands:
sudo yum install rng-tools
cp /usr/lib/systemd/system/rngd.service /etc/systemd/system/
systemctl daemon-reload
systemctl start rngd
systemctl enable rngd
Building rng-tools From Source
rng-tools
using package manager, you can
build from source. To install and start rngd
and build from source:
- Download the source
code:
sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz
- Extract the source
code:
tar xvfz rng-tools-4.tar.gz
- Enter the
rng-tools-4
directory:cd rng-tools-4
- Run
./configure
- Run
make
- Run
make install
rng-tools
, start the rngd
daemon by running the following command as
root:sudo rngd --no-tpm=1 -o /dev/random
For improved performance, Cloudera recommends configuring Navigator Encrypt to read
directly from /dev/random
instead of /dev/urandom
.
To configure Navigator Encrypt to use /dev/random
as an entropy
source, add --use-random
to the navencrypt-prepare
command when you are setting up Navigator Encrypt.
Uninstalling and Reinstalling Navigator Encrypt
Uninstalling Navigator Encrypt
sudo yum remove navencrypt
sudo yum remove navencrypt-kernel-module
These commands remove the software itself. On RHEL-compatible OSes, the
/etc/navencrypt
directory is not removed as part of the uninstallation.
Remove it manually if required.
Reinstalling Navigator Encrypt
After uninstalling Navigator Encrypt, repeat the preceding installation instructions for your distribution.
When Navigator Encrypt is uninstalled, the configuration files and directories located in
/etc/navencrypt
are not removed. Consequently, you do not need to use
the navencrypt register
command during reinstallation. If you no longer
require the previous installation configuration information in the directory
/etc/navencrypt
, you can remove its contents.