Encrypting and Decrypting Data Using Cloudera Navigator Encrypt
After the encrypted file system is created and initialized, it is ready
to hold data. All encryption and decryption functionality is performed
with a single command: navencrypt-move
.
Do not manually create directories or files under a Cloudera Navigator
Encrypt mount point; use only the navencrypt-move
command
to encrypt and decrypt data. See Preparing for Encryption Using Cloudera Navigator Encrypt for more
information about mount points.
After encrypting a file or directory, all data written and read through the mount point is transparently encrypted and decrypted.
Before You Begin
Navigator Encrypt does not support encrypting data in certain environments, including the following:
- Do not attempt to encrypt a directory that contains or is
contained within a mount point for another service (including
Navigator Encrypt and NFS). For example:
- If your encryption mount point is
/var/lib/navencrypt/mount
, do not attempt to encrypt/var
,/var/lib
,/var/lib/navencrypt
,/var/lib/navencrypt/mount
, or anything under/var/lib/navencrypt/mount/
. - If you have mounted an NFS file system at
/mnt/home
, do not attempt to encrypt/mnt
,/mnt/home
, or anything under/mnt/home
.
- If your encryption mount point is
- Do not attempt to encrypt immutable files or directories containing immutable files.
- Do not use Navigator Encrypt within a
chroot
environment, or create achroot
environment within an encrypted directory. - If your Key Trustee Server is managed by Cloudera Manager, do not encrypt the Cloudera Manager database with Navigator Encrypt; doing so prevents Cloudera Manager from starting.
Encrypting Data
Do not manually create directories or files under a Navigator Encrypt
mount point; use only the navencrypt-move
command to
encrypt data.
Here is an example command to encrypt data, with an explanation for each option:
sudo navencrypt-move encrypt @<category> <directory_or_file_to_encrypt> <encrypted_mount_point>
Command Option | Explanation |
---|---|
navencrypt-move |
Main command interface for all actions that require moving
data either to or from the encrypted file system. For more
information see the |
encrypt |
Identifies the cryptographic operation, in this case,
encrypting data. The |
@<category> |
The access category that is applied to the data being
encrypted. Encrypted data is protected by process-based access controls that restrict access to
only the processes that you allow. You can use any naming
convention you want (the @ symbol is required),
but Cloudera recommends keeping it simple and memorable. For
example, you can use a name referencing the data type being
encrypted, such as @mysql for a MySQL
deployment. See Listing Categories
for instructions on viewing existing categories. |
<directory_or_file_to_encrypt> |
The data that you want to encrypt. This can be a single
file or an entire directory. Navigator Encrypt starts after the
system boots, so do not encrypt required system files and
directories (such as the root partition, /var ,
and so on). Some examples of recommended data directories to
encrypt are /var/lib/mysql/data ,
/db/data , and so on. |
<encrypted_mount_point> |
Where you want to store the data. This is the path to the
mount point specified during the navencrypt-prepare command. |
When a file is encrypted, a symbolic link (symlink) is created which points to a mount
point @<category>
directory. The navencrypt-move
command moves all specified data to the encrypted file system and replaces it with a symlink
to the mount point for that encrypted file system.
sudo /usr/sbin/navencrypt-move encrypt @mycategory /path/to/directory_to_encrypt/ /path/to/mount
ls -l <directory_to_encrypt>
du -h <encrypted_storage_directory>
The output demonstrates the new file system layout. Everything that was in the target directory is now securely stored in the encrypted file system.
Decrypting Data
The decryption command requires only the path to the original data,
which is now a symbolic link, as an argument. The following example
demonstrates how to decrypt a file using the
navencrypt-move
command:
sudo /usr/sbin/navencrypt-move decrypt /path/to/encrypted/directory_or_file
sudo /usr/sbin/navencrypt-move decrypt /path/to/encrypted/directory