Cloudera Docs

Data Encryption Components and Solutions

Cloudera supports four encryption components which may be combined as unique solutions. When selecting a Key Management System (KMS), you must decide which components meet the key management and encryption requirements for your enterprise.

Cloudera Encryption components

Descriptions of Cloudera components for encrypting data at rest follow:
Ranger Key Management System (KMS)
Ranger extends the native Hadoop KMS functionality by allowing you to store keys in a secure database or you can use the secure key store like Key Trustee Server. Cryptographic key management service supporting HDFS TDE. Not a general purpose Key Management System, as opposed to Hadoop KMS which stores keys in file based Java Keystore, can be accessed only through KeyProvider API.
Key Trustee Server (KTS)
Key Manager that stores and manages cryptographic keys and other security artifacts
Key HSM
Allows Ranger Key Trustee Server to seamlessly integrate with the following hardware security modules (HSM)
  • Luna 6 & 7
  • CipherTrust
  • GCP Cloud HSM
  • Azure Key Vault
Navigator Encrypt
Transparently encrypts and secures data at rest without requiring changes to your applications

Cloudera Encryption solutions

You can deploy encryption components as any of the following solutions for encrypting data at rest:
Ranger KMS Only
  • Consists of ONLY Ranger KMS with a backend database that provides key storage
  • Ranger KMS provides enterprise-grade key management
Ranger KMS + HSM
  • Consists of Ranger KMS with database + integration with a backend hardware security module (HSM)
  • Ranger KMS provides enterprise-grade key management
  • HSM provides encryption zone key protection
  • HSM stores only the encryption master key
Ranger KMS + Key Trustee Server (KTS)
  • Ranger KMS provides enterprise-grade key management
  • KTS provides the key store that stores and manages cryptographic keys and other security artifacts
Ranger KMS + KTS + Key HSM
Allows Cloudera Key Trustee Server to seamlessly integrate with a HSM in addition to above items