Cloudera Docs

Configuring data at rest encryption

You can enable data at rest encryption using Cloudera Manager. However, you can enable it only for a fresh installation and once Kudu directories exist on the cluster you cannot disable the encryption.

Kudu supports data at rest encryption, specifically AES-128, AES-192 and AES-256 ciphers in CTR mode are supported to encrypt data.

When data is encrypted at rest, the following keys are used for encryption:

  • File Key: The unique key used to encrypt a physical file
  • Server Key: A server’s own key used to encrypt the File Key
  • Cluster Key: A key that is used to encrypt the Server Key and stored in a third-party Key Management Service (KMS). Kudu supports Apache Ranger KMS and Apache Hadoop KMS. Both are API-compatible

If Kudu was started before encryption was enabled, all Kudu data directories, WAL directories, and metadata directories (usually the same as WAL directories) must be deleted. This will result in a completely clean slate, so if there is any data in Kudu, it must be backed up using the backup tool before doing so. For more information, see Kudu backup.

  1. In Cloudera Manager navigate to Kudu > Configuration.
  2. Search for data at rest.
  3. Find the Encrypt data at rest property and select it to enabe data at rest encryption.
  4. Find the Data at rest encryption cipher property and select the cipher for the encryption.
    Its defaault value is AES-128-CTR.
  5. Find the Data at rest encryption key name property and set its value to the name of the data at rest encryption key.
    Its default value is kudu_encryption_key.
  6. Create a key in Ranger KMS with the same name as the value of the Data at rest encryption key name property.
    For more information, see List and create keys.
  7. Ensure that the TLS certificate used by Ranger KMS is trusted on the OS-level by all Kudu hosts. This is required even if you use AutoTLS.
    For more information, consult your OS documentation.
  8. Start the Kudu cluster.

If you enabled data at encryption for a pre-existing cluster, restore the data you backed up before enabling encryption. For more information, see Kudu recovery.