Preparing for Encryption Using Cloudera Navigator Encrypt
Before you can encrypt data, you must prepare a storage repository to
hold the encrypted data and a mount point through which to access the
encrypted data. The storage repository and mount point must exist before
encrypting data using the
Data stored and retrieved from the repository is encrypted and decrypted transparently.
- Encrypting a directory that contains or is contained within a mount point for another service (including Navigator Encrypt and NFS). See Encrypting Data for more information.
- Encrypting immutable files or directories containing immutable files.
- Installation or use in
chrootenvironments, including creating
chrootenvironments within an encrypted directory.
- Encrypting HDFS data files.
Navigator Encrypt Commands
||Manage, update, and verify your data.|
||Prepare your system for encryption by creating mount-points and specifying storage.|
||Remove a mountpoint that is no longer in use.|
||Encrypt/decrypt your data to/from the encrypted file system.|
||Generate process profile information in JSON format.|
||Build or rebuild the Navigator Encrypt kernel module.|
Preparing for Encryption
navencrypt-preparecommand, or to use a unique configuration, use the interactive prompt by executing
navencrypt-preparewith no options. This launches an interactive console that guides you through the following operations:
- Creating internal encryption keys
- Registering internal keys in Navigator Key Trustee
- Registering mount point in
- Mounting current mount point
- Establishing encryption method (
Using the console, you can choose how you want your data stored and
accessed. Navigator Encrypt offers block-level encryption with
dm-crypt, which protects your data by encrypting the
entire device. This enables full disk encryption and is optimized for
some system configurations. You can use block-level encryption with
logical devices such as a loop device.
See Block-Level Encryption with dm-crypt for more information.
Block-Level Encryption with dm-crypt
- The first parameter is the block device that you want to store the encrypted file system in. Because this device stores all of the encrypted data, it must be as large as or larger than the target data. The device must exist and be empty. Supported storage devices are:
- The second parameter is the mount point for the encrypted file
system. This is the location where you can access the encrypted data
stored in the first parameter. The mount point must already exist.
It is not created by the
The entire device in the first parameter is used for encrypted data.
After specifying these two parameters and following the interactive console (discussed further in Preparing for Encryption), you are ready to encrypt your data.
When specifying the mount point path, do not use a trailing
sudo navencrypt-prepare <device_name> <mount_point>
/in the path names. The mount point directory must exist prior to running the
sudo systemctl start navencrypt-mount
dm-cryptfor block-level encryption:
After you have successfully prepared a client for encryption, you can encrypt and decrypt data using the commands described in Encrypting and Decrypting Data Using Cloudera Navigator Encrypt.
$ sudo /usr/sbin/navencrypt-prepare urandom /mnt/dm_encrypted Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: /dev/urandom Filesystem: ext4 Verifying MASTER key against Navigator Key Trustee (wait a moment) ... OK Generation Encryption Keys with /dev/urandom ... OK Preparing dmCrypt device (--use-urandom) ... OK Creating ext4 filesystem ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /dev/sda1 ... OK
Block-Level Encryption with a Loop Device
A block-level encrypted device can be a physical device or a storage space treated as a device.
ddcommand to create a storage space:
sudo dd if=/dev/zero of=/dmcrypt/storage bs=1G count=500
dd command above creates a 500 GB file. Modify
count values to generate
the required file size.
After generating the file, run
losetup -f to view
unused loop devices. Use the available loop device with the
navencrypt-prepare -d command, demonstrated
-dparameter enables Navigator Encrypt to manage the loop device association. You no longer need to use the
losetupcommand to associate the file with the loop device, and the loop device is automatically prepared at boot. For RHEL 7-compatible OS, you must run the following commands to ensure that a loop device is available at boot:
sudo bash -c 'echo "loop" > /etc/modules-load.d/loop.conf' sudo bash -c 'echo "options loop max_loop=8" > /etc/modprobe.d/loop_options.conf'
The data storage directory name (
the previous example) must contain only alphanumeric characters,
spaces, hyphens (
-), or underscores
_). Other special characters are not
$ losetup -f /dev/loop0 $ sudo navencrypt-prepare -d /dmcrypt/storage /dev/loop0 /dmcrypt/mountpoint Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: OpenSSL Filesystem: ext4 Options: Verifying MASTER key against KeyTrustee (wait a moment) ... OK Generation Encryption Keys with OpenSSL ... OK Assigning '/dev/loop0'->'/dmcrypt/storage' ... OK Preparing dmCrypt device ... OK Creating ext4 filesystem ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /dev/loop0 ... OK
losetupcommand at boot) by adding the
nav_datastoreoption to the entry in
/etc/navencrypt/ztab. For example:
# <target mount-dir> <source device> <type> <options> /dmcrypt/mountpoint /dev/loop0 luks key=keytrustee,nav_datastore='/dmcrypt/storage'
After you have created the loop device, continue with the instructions in Block-Level Encryption with dm-crypt.
Navigator Encrypt and Device UUIDs
Navigator Encrypt has always prepared and identified devices simply
using a device name, such as
/dev/loop0. However, we know that using a device name
or label could lead to a conflict and impact system operations.
Navigator Encrypt also supports preparing devices using a UUID, in
addition to device name. This UUID is simply a symbolic link to the
actual device, and is created when preparing a device with Navigator
Encrypt during a
The advantage of using a device UUID is that if a device’s name changes, the UUID associated with that device does not change. To ensure that Navigator Encrypt recognizes devices even when the device name changes, enter the command:
navencrypt-prepare --use-uuid /dev/sda1 /mountpoint
navencrypt-prepare --undo-force /dev/disk/by-uuid/3a602a15-11f7-46ac-ae98-0a51e1b25cf9 navencrypt-prepare --undo /dev/disk/by-uuid/3a602a15-11f7-46ac-ae98-0a51e1b25cf9
Pass-through Mount Options for
Navigator Encrypt 3.5 and higher provides the ability to specify
options to pass to the
mount command that is executed
systemctl start navencrypt-mount on RHEL 7). These
options are specified with the
-o option when preparing
a mountpoint with the
navencrypt-preparecommand output when passing mount options with the
$ sudo navencrypt-prepare -o discard,resize /mnt/t2 /mnt/t2 Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: OpenSSL Filesystem: ext4 Options: discard,resize Verifying MASTER key against Navigator Key Trustee(wait a moment) ... OK Generation Encryption Keys with OpenSSL ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /mnt/t2 ... OK
$ cat /etc/navencrypt/ztab /mnt/t2 /mnt/t2 dmcrypt key=keytrustee,cipher=aes,keysize=256,discard,resize
Options can be added or removed to existing mount points prepared with
versions of Navigator Encrypt prior to 3.5 by editing the
/etc/navencrypt/ztab file and adding the
comma-separated options (no spaces) to the end of each line as seen in
the previous example above.
$ mount /mnt/t2 on /mnt/t2 type dmcrypt (rw,dmcrypt_sig=6de3db1e87077adb,ecryptfs_unlink_sigs,noauto,\ dmcrypt_cipher=aes,dmcrypt_key_bytes=32,discard,resize)
For a list of available mount options, see the