Data at Rest Encryption Reference Architecture

Deploying Cloudera Navigator for encrypting data at rest

The following diagram illustrates product component functional relationships:



To isolate Key Trustee Server from other CDP services, you must deploy Key Trustee Server on dedicated hosts in a separate cluster in Cloudera Manager. Deploy Ranger KMS on dedicated hosts in the same cluster as the CDP services that require access to Key Trustee Server. This provides the following benefits:

  • You can restart your CDP cluster without restarting Key Trustee Server, avoiding interruption to other clusters or clients that use the same Key Trustee Server instance.
  • You can manage the Key Trustee Server upgrade cycle independently of other cluster components.
  • You can limit access to the Key Trustee Server hosts to authorized key administrators only, reducing the attack surface of the system.
  • Resource contention is reduced. Running Key Trustee Server and Key Trustee KMS services on dedicated hosts prevents other cluster services from reducing available resources (such as CPU and memory) and creating bottlenecks.

If you are using virtual machines for the Key Trustee Server or Key Trustee KMS hosts, see "Resource Planning for Data at Rest Encryption".