Securing sensitive information using a Secure Credential Storage Provider (Technical Preview)
You can configure Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).
Cloudera Manager stores a variety of sensitive information required for normal operations. This sensitive information is stored in plain text, either in the Cloudera Manager database or on disk.
- Configuration parameters containing usernames and passwords (except for those needed for Cloudera Manager to access the CSP).
- Kerberos keytabs
- None – Sensitive information is not encrypted in the Cloudera Manager database.
- Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends Vault from Hashicorp.
- Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
- Sensitive information that was written to the database before the
CSP is enabled will not be encrypted automatically. If you change
any sensitive information, it will be encrypted.
You can regenerate Kerberos credentials, which will then be encrypted. To regenerate the credentials, go to.
- Auto-TLS keys are not encrypted.
- No rotation of encryption keys.
- The CSP Keystore Password, CSP Truststore Password and CM Truststore Password are not encrypted, as they are needed to connect to the CSP.
- After you set the CSP type using the Cloudera Manager Admin Console, you cannot change the Storage Provider type to another type or to None. To change the type, you must first disable the CSP and then configure a new type using the Cloudera Manager Admin Console. See Disabling or changing the Credential Storage Provider (Technical Preview).
- The Cloudera Manager High Availability configuration is currently not supported with the Cloudera Manager Secure Credential Provider.