Cloudera Docs

Securing sensitive information using a Secure Credential Storage Provider (Technical Preview)

You can configure Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).

Cloudera Manager stores a variety of sensitive information required for normal operations. This sensitive information is stored in plain text, either in the Cloudera Manager database or on disk.

You can configure Cloudera Manager to encrypt these sensitive values by configuring a Secure Credential Store that stores an encryption key to encrypt and decrypt sensitive information that are then stored in encrypted form only in the Cloudera Manager database. The following types of sensitive information can be encrypted:
  • Configuration parameters containing usernames and passwords (except for those needed for Cloudera Manager to access the CSP).
  • Kerberos keytabs
You can choose from the following types of Secure Credential Store:
  • None – Sensitive information is not encrypted in the Cloudera Manager database.
  • Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends Vault from Hashicorp.
  • Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.

Known Limitations

There are currently the following limitations:
  • Sensitive information that was written to the database before the CSP is enabled will not be encrypted automatically. If you change any sensitive information, it will be encrypted.

    You can regenerate Kerberos credentials, which will then be encrypted. To regenerate the credentials, go to Administration > Security > Kerberos.

  • Auto-TLS keys are not encrypted.
  • No rotation of encryption keys.
  • The CSP Keystore Password, CSP Truststore Password and CM Truststore Password are not encrypted, as they are needed to connect to the CSP.
  • After you set the CSP type using the Cloudera Manager Admin Console, you cannot change the Storage Provider type to another type or to None. To change the type, you must first disable the CSP and then configure a new type using the Cloudera Manager Admin Console. See Disabling or changing the Credential Storage Provider (Technical Preview).
  • The Cloudera Manager High Availability configuration is currently not supported with the Cloudera Manager Secure Credential Provider.