Cloudera Docs

Enabling HDFS Encryption Using a Java KeyStore

Cloudera strongly recommends using Cloudera Navigator Key Trustee Server as the root of trust for production environments. The file-based Java KeyStore root of trust is insufficient to provide the security, scalability, and manageability required by most production systems.

After selecting A file-based password-protected Java KeyStore as the root of trust, the following steps are displayed.
  1. Enable Kerberos.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  2. Enable TLS/SSL.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  3. Add a Java KeyStore KMS Service.
    Minimum Required Role: Key Administrator (also provided by Full Administrator)
    This step adds the Java KeyStore KMS service to the cluster. The Java KeyStore KMS service uses a password-protected Java KeyStore for cryptographic key management.

    To complete this step:

    1. Click Add a Java KeyStore KMS Service.
    2. Select a cluster host for the Java KeyStore KMS service. Click Continue.
    3. The Setup TLS for Java KeyStore KMS page provides high-level instructions for configuring TLS communication between the EDH cluster and the Java KeyStore KMS.
      Click Continue.
    4. The Review Changes page lists the Java KeyStore settings. Click the icon next to any setting for information about that setting.
    Enter the location and password for the Java KeyStore and click Continue.
  4. Click Continue to automatically configure the HDFS service to depend on the Java KeyStore KMS service.
  5. Click Finish to complete this step and return to the main page of the wizard.
  6. Restart stale services and redeploy client configuration.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    This step restarts all services that were modified while enabling HDFS encryption.

    To complete this step:

    1. Click Restart stale services and redeploy client configuration.
    2. Click Restart Stale Services.
    3. Ensure that Re-deploy client configuration is checked, and click Restart Now.
    4. After all commands have completed, click Finish.
  7. Validate Data Encryption.
    Minimum Required Role: Key Administrator or Cluster Administrator
    This step launches a Validate Data Encryption tutorial with instructions describing how to create an encryption zone and place data into it to verify that HDFS encryption is enabled and working.