Integrating Components for Encrypting Data at Rest

How to integrate Cloudera Data Encryption components to provide enterprise data encryption solutions.

Ranger Key Mangement System (KMS)

Consists of Ranger KMS Ranger KMS providing enterprise-grade key management with a backend database that provides key storage.

  1. Install Ranger KMS using CM > Administration > Security > HDFS Encryption Wizard.
  2. Install a seperate database to store keys.

    For more information, see related links.

Ranger KMS and HSM

Consists of Ranger KMS and database integrated with a backend hardware security module (HSM). In this solution, Ranger KMS provides enterprise-grade key management, HSM provides encryption zone key protection. HSM stores only the encryption master key.

  1. Install Ranger KMS using CM > Administration > Security > HDFS Encryption Wizard.
  2. Install a seperate database to store keys.
  3. Obtain and Integrate one of the following hardware security modules (HSM) supplied by a vendor.
    • Luna 6 or 7
    • CipherTrust
    • GCP Cloud HSM
    • Azure Key Vault

    For more information, see related links.

Ranger KMS and Key Trustee Server (KTS)

Consists of Ranger KMS providing enterprise-grade key management and the Key Trustee Server key store that stores and manages cryptographic keys and other security artifacts.

  1. Install Ranger KMS backed by KTS using CM > Administration > Security > HDFS Encryption Wizard.

Ranger KMS, KTS, and Key HSM

Consists of Ranger KMS, KTS and Key HSM which provides seamless integration of all Cloudera encryption components with a HSM added.

  1. Install Ranger KMS backed by KTS using CM > Administration > Security > HDFS Encryption Wizard.
  2. Obtain and Integrate one of the following hardware security modules (HSM) supplied by a vendor.
    • Luna 6 or 7
    • CipherTrust
    • GCP Cloud HSM
    • Azure Key Vault

For more information, see