Data Encryption Components and Solutions
Cloudera supports four encryption components which may be combined as unique solutions. When selecting a Key Management System (KMS), you must decide which components meet the key management and encryption requirements for your enterprise.
Cloudera Encryption components
Descriptions of Cloudera components for encrypting data at rest follow:
- Ranger Key Management System (KMS)
- Ranger extends the native Hadoop KMS functionality by allowing you to store keys in a secure database or you can use the secure key store like Key Trustee Server. Cryptographic key management service supporting HDFS TDE. Not a general purpose Key Management System, as opposed to Hadoop KMS which stores keys in file based Java Keystore, can be accessed only through KeyProvider API.
- Key Trustee Server (KTS)
- Key Manager that stores and manages cryptographic keys and other security artifacts
- Key HSM
- Allows Ranger Key Trustee Server to seamlessly integrate with the following hardware
security modules (HSM)
- Luna 6 & 7
- CipherTrust
- GCP Cloud HSM
- Azure Key Vault
- Navigator Encrypt
- Transparently encrypts and secures data at rest without requiring changes to your applications
Cloudera Encryption solutions
You can deploy encryption components as any of the following solutions for encrypting data
at rest:
- Ranger KMS Only
-
- Consists of ONLY Ranger KMS with a backend database that provides key storage
- Ranger KMS provides enterprise-grade key management
- Ranger KMS + HSM
-
- Consists of Ranger KMS with database + integration with a backend hardware security module (HSM)
- Ranger KMS provides enterprise-grade key management
- HSM provides encryption zone key protection
- HSM stores only the encryption master key
- Ranger KMS + Key Trustee Server (KTS)
-
- Ranger KMS provides enterprise-grade key management
- KTS provides the key store that stores and manages cryptographic keys and other security artifacts
- Ranger KMS + KTS + Key HSM
- Allows Cloudera Key Trustee Server to seamlessly integrate with a HSM in addition to above items