Installing Cloudera Navigator Encrypt
Learn about installing Navigator Encrypt, setting up TLS certificates on a Navigator Encrypt client, entropy requirements , and uninstalling and reinstalling NavEncrypt.
See Data at Rest Encryption Requirements for more information about encryption and Navigator Encrypt requirements.
Setting Up an Internal Repository
You must create an internal repository to install or upgrade Navigator Encrypt. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Package Repository.
Installing Navigator Encrypt (RHEL-Compatible)
Learn how to install RHEL compatible Navigator Encrypt.
Installing Navigator Encrypt (SLES)
Learn how to install SLES compatible Navigator Encrypt.
Installing Navigator Encrypt (Ubuntu)
Learn how to install Ubuntu compatible Navigator Encrypt.
Post Installation
These are the commands to be run post installation of Navigator Encrypt.
chkconfig:sudo chkconfig --level 235 navencrypt-mount on
sudo chkconfig --level 235 ntpd onSetting Up TLS for Navigator Encrypt Clients
Transport Layer Security (TLS) certificates are used to secure communication with Navigator Encrypt. Cloudera strongly recommends using certificates signed by a trusted Certificate Authority (CA).
[root@navencrypt-1 ~]# service navencrypt-mount stop
Stopping navencrypt directories
 * Umounting /dev/nvtest/test1 ...                         [  OK  ]
 * Umounting /dev/nvtest/test2 ...                         [  OK  ]
 * Unloading module ...                                    [  OK  ]
[root@navencrypt-1 ~]# update-ca-trust enable
[root@navencrypt-1 ~]# cp dd-1.lab.usa.company.com.pem /etc/pki/ca-trust/source/anchors/
[root@navencrypt-1 ~]# update-ca-trust
[root@navencrypt-1 ~]# service navencrypt-mount start
Starting navencrypt directories
 * Mounting '/dev/nvtest/test1'                            [  OK  ]
 * Mounting '/dev/nvtest/test2'   Entropy Requirements
Many cryptographic operations, such as those used with TLS or HDFS encryption, require a sufficient level of system entropy to ensure randomness; likewise, Navigator Encrypt needs a source of random numbers to ensure good performance.
Hence, you need to make sure that the hosts running Navigator Encrypt (as well as Key Trustee Server, Key Trustee KMS) and have sufficient entropy to perform cryptographic operations.
You can check the available entropy on a Linux system by running the following command:
cat /proc/sys/kernel/random/entropy_avail             The output displays the entropy currently available. Check the entropy several times to
          determine the state of the entropy pool on the system. If the entropy is consistently low
          (500 or less), you must increase it by installing rng-tools version 4 or
          higher, and starting the rngd service.
Install rng_tools Using Package Manager
Learn how to install rng_tools using Package Manager.
If version 4 or higher of the rng-tools package is available from the
            local package manager (yum), then install it directly from the package
            manager. If the appropriate version of rng-tools is unavailable, see
              Building rng-tools From Source.
For RHEL 7, run the following commands:
sudo yum install rng-tools
cp /usr/lib/systemd/system/rngd.service /etc/systemd/system/
systemctl daemon-reload
systemctl start rngd
systemctl enable rngdBuilding rng-tools From Source
If you are unable to install rng-tools using package manager, you can
        build from source.
To install and start rngd and build from source:
- Download the source
                code:sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz
- Extract the source
                code:tar xvfz rng-tools-4.tar.gz
- Enter the rng-tools-4directory:cd rng-tools-4
- Run ./configure
- Run make
- Run make install
rng-tools, start the rngd
            daemon by running the following command as
            root:sudo rngd --no-tpm=1 -o /dev/randomFor improved performance, Cloudera recommends configuring Navigator Encrypt to read
            directly from /dev/random instead of /dev/urandom.
To configure Navigator Encrypt to use /dev/random as an entropy
            source, add --use-random to the navencrypt-prepare
            command when you are setting up Navigator Encrypt.
Uninstalling and Reinstalling Navigator Encrypt
Learn how to uninstall and reinstall Navigator Encrypt.
Uninstalling Navigator Encrypt
sudo yum remove navencrypt
sudo yum remove navencrypt-kernel-moduleThese commands remove the software itself. On RHEL-compatible OSes, the
            /etc/navencrypt directory is not removed as part of the uninstallation.
          Remove it manually if required.
Reinstalling Navigator Encrypt
After uninstalling Navigator Encrypt, repeat the preceding installation instructions for your distribution.
When Navigator Encrypt is uninstalled, the configuration files and directories located in
            /etc/navencrypt are not removed. Consequently, you do not need to use
          the navencrypt register command during reinstallation. If you no longer
          require the previous installation configuration information in the directory
            /etc/navencrypt, you can remove its contents.
