Enabling HDFS Encryption Using Navigator Key Trustee Server

Enabling HDFS encryption using Key Trustee Server as the key store involves multiple components.

Before continuing, make sure the Cloudera Manager server host has access to the internal repository hosting the Key Trustee Server software.
Selecting Cloudera Navigator Key Trustee Server as the root of trust to view the various steps.
  1. Enable Kerberos.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  2. Enable TLS/SSL.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
  3. Add a dedicated cluster for the Key Trustee Server.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    If you have not already done so, you must create an internal repository to install Cloudera Navigator before you can set up and use Navigator Key Trustee Server.

    This step creates a new cluster in Cloudera Manager for the Key Trustee Server hosts to isolate them from other enterprise data hub (EDH) services for increased security and durability. To complete this step:

    1. Click Add a dedicated cluster for the Key Trustee Server.
    2. Leave Enable High Availability checked to add two hosts to the cluster.
      For production environments, you must enable high availability for Key Trustee Server. Failure to enable high availability can result in complete data loss in the case of catastrophic failure of a standalone Key Trustee Server.

      Click Continue.

    3. Search for new hosts to add to the cluster, or select the Currently Managed Hosts tab to add existing hosts to the cluster.
      After selecting the hosts, click Continue.
    4. Select the KEYTRUSTEE_SERVER parcel to install Key Trustee Server using parcels, or select None if you want to use packages.
      If you do not see a parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list. After selecting a parcel or None, click Continue.

      If you selected None, click Continue again, and skip to step 4. Install Key Trustee Server binary using packages or parcels.

    5. After the KEYTRUSTEE_SERVER parcel is successfully downloaded, distributed, unpacked, and activated, click Continue.
    6. Click Continue to complete this step and return to the main page of the wizard.
  4. Install Key Trustee Server binary using packages or parcels.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    If you have not already done so, you must create an internal repository to install Cloudera Navigator before you can set up and use Navigator Key Trustee Server.

    This step is completed automatically during step 3. Add a dedicated cluster for the Key Trustee Server. if you are using parcels. If the step is incomplete for any reason (such as the wizard being interrupted or a failure installing the parcel), complete it manually:

    1. Click Install Key Trustee Server binary using packages or parcels.
    2. Select the KEYTRUSTEE_SERVER parcel to install Key Trustee Server, or select None if you need to install Key Trustee Server manually using packages.
      If you do not see a parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list.

      After selecting a parcel, click Continue.

    3. After the KEYTRUSTEE_SERVER parcel is successfully downloaded, distributed, unpacked, and activated, click Finish to complete this step and return to the main page of the wizard.
  5. Install Parcel for Key Trustee KMS.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    If you have not already done so, you must create an internal repository to install Cloudera Navigator before you can set up and use Navigator Key Trustee Server.

    This step installs the Key Trustee KMS parcel. If you are using packages, skip this step and see 'Installing Key Trustee KMS Using Packages' for instructions. After installing Key Trustee KMS using packages, continue to 6. Add a Key Trustee Server Service.

    To complete this step for parcel-based installations:
    1. Click Install Parcel for Key Trustee KMS.
    2. Select the KEYTRUSTEE parcel to install Key Trustee KMS.
      If you do not see a parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list. After selecting a parcel, click Continue.
    3. After the KEYTRUSTEE parcel is successfully downloaded, distributed, unpacked, and activated, click Finish to complete this step and return to the main page of the wizard.
  6. Add a Key Trustee Server Service.
    Minimum Required Role: Key Administrator (also provided by Full Administrator)
    This step adds the Key Trustee Server service to Cloudera Manager.

    To complete this step:

    1. Click Add a Key Trustee Server Service.
    2. Click Continue.
    3. On the Customize Role Assignments for Key Trustee Server page, select the hosts for the Active Key Trustee Server and Passive Key Trustee Server roles.
      Make sure that the selected hosts are not used for other services and click Continue.
    4. The Entropy Considerations page provides commands to install the rng-tools package to increase available entropy for cryptographic operations.
      After completing these commands, click Continue.
    5. The Synchronize Active and Passive Key Trustee Server Private Keys page provides instructions for generating and copying the Active Key Trustee Server private key to the Passive Key Trustee Server. Cloudera recommends following security best practices and transferring the private key using offline media, such as a removable USB drive. For convenience (for example, in a development or testing environment where maximum security is not required), you can copy the private key over the network using the provided rsync command.
      After you have synchronized the private keys, run the ktadmin init command on the Passive Key Trustee Server as described in the wizard. After the initialization is complete, check the box to indicate you have synchronized the keys and click Continue in the wizard.
    6. The Setup TLS for Key Trustee Server page provides instructions on replacing the auto-generated self-signed certificate with a production certificate from a trusted Certificate Authority (CA).
      Click Continue to view and modify the default certificate settings.
    7. On the Review Changes page, you can view and modify the following settings:
      • Database Storage Directory (db_root)

        Default value: /var/lib/keytrustee/db

        The directory on the local filesystem where the Key Trustee Server database is stored. Modify this value to store the database in a different directory.

      • Active Key Trustee Server TLS/SSL Server Private Key File (PEM Format) (ssl.privatekey.location)

        Default value: /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem

        The path to the Active Key Trustee Server TLS certificate private key. Accept the default setting to use the auto-generated private key. If you have a CA-signed certificate, change this path to the CA-signed certificate private key file. This file must be in PEM format.

      • Active Key Trustee Server TLS/SSL Server Certificate File (PEM Format) (ssl.cert.location)

        Default value: /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem

        The path to the Active Key Trustee Server TLS certificate. Accept the default setting to use the auto-generated self-signed certificate. If you have a CA-signed certificate, change this to the path to the CA-signed certificate. This file must be in PEM format.

      • Active Key Trustee Server TLS/SSL Server CA Certificate (PEM Format) (ssl.cacert.location)

        Default value: (none)

        The path to the file containing the CA certificate and any intermediate certificates (if any intermediate certificates exist, then they are required here) used to sign the Active Key Trustee Server certificate. If you have a CA-signed certificate, set this value to the path to the CA certificate or certificate chain file. This file must be in PEM format.

      • Active Key Trustee Server TLS/SSL Private Key Password (ssl.privatekey.password)

        Default value: (none)

        The password for the Active Key Trustee Server private key file. Leave this blank if the file is not password-protected.

      • Passive Key Trustee Server TLS/SSL Server Private Key File (PEM Format) (ssl.privatekey.location)

        Default value: /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem

        The path to the Passive Key Trustee Server TLS certificate private key. Accept the default setting to use the auto-generated private key. If you have a CA-signed certificate, change this path to the CA-signed certificate private key file. This file must be in PEM format.

      • Passive Key Trustee Server TLS/SSL Server Certificate File (PEM Format) (ssl.cert.location)

        Default value: /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem

        The path to the Passive Key Trustee Server TLS certificate. Accept the default setting to use the auto-generated self-signed certificate. If you have a CA-signed certificate, change this to the path to the CA-signed certificate. This file must be in PEM format.

      • Passive Key Trustee Server TLS/SSL Server CA Certificate (PEM Format) (ssl.cacert.location)

        Default value: (none)

        The path to the file containing the CA certificate and any intermediate certificates (if any intermediate certificates exist, then they are required here) used to sign the Passive Key Trustee Server certificate. If you have a CA-signed certificate, set this value to the path to the CA certificate or certificate chain file. This file must be in PEM format.

      • Passive Key Trustee Server TLS/SSL Private Key Password (ssl.privatekey.password)

        Default value: (none)

        The password for the Passive Key Trustee Server private key file. Leave this blank if the file is not password-protected.

      After reviewing the settings and making any changes, click Continue.
    8. After all commands complete successfully, click Continue.
      If the Generate Key Trustee Server Keyring appears stuck, make sure that the Key Trustee Server host has enough entropy.
    9. Click Finish to complete this step and return to the main page of the wizard.
    For parcel-based Key Trustee Server releases 5.8 and higher, Cloudera Manager automatically backs up Key Trustee Server (using the ktbackup.sh script) after adding the Key Trustee Server service. It also schedules automatic backups using cron. For package-based installations, you must manually back up Key Trustee Server and configure a cron job.

    Cloudera Manager configures cron to run the backup script hourly. The latest ten backups are retained in /var/lib/keytrustee in cleartext.

  7. Restart stale services and redeploy client configuration.
    Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
    This step restarts all services which were modified while enabling HDFS encryption.

    To complete this step:

    1. Click Restart stale services and redeploy client configuration.
    2. Click Restart Stale Services.
    3. Ensure that Re-deploy client configuration is checked, and click Restart Now.
    4. After all commands have completed, click Finish.
  8. Validate Data Encryption.
    Minimum Required Role: Key Administrator or Cluster Administrator (also provided by Full Administrator)
    This step launches a tutorial with instructions on creating an encryption zone and putting data into it to verify that HDFS encryption is enabled and working.