Installing Key Trustee Server Using Cloudera Manager

If you are installing Key Trustee Server for use with HDFS Transparent Encryption, the Set up HDFS Data At Rest Encryption wizard installs and configures Key Trustee Server.

  1. (Recommended) Create a new cluster in Cloudera Manager containing only the host that Key Trustee Server will be installed on. Cloudera recommends that each cluster use its own KTS instance. Although sharing a single KTS across clusters is technically possible, it is neither approved nor supported for security reasons—specifically, the increased security risks associated with single point of failure for encryption keys used by multiple clusters. For a better understanding of additional security reasons for this recommendation, see Data at Rest Encryption Reference Architecture.
  2. Download the latest Key Trustee Server parcel from the page. From CDP Private Cloud Base 7.1.6, the KEYTRUSTEE_SERVER parcel is available in the same location in which the Cloudera runtime parcel is placed. If you have configured the parcel repository for CDP Private Cloud Base upgrade, the KEYTRUSTEE_SERVER parcel is displayed automatically.
  3. Follow the steps in Using a Local Parcel Repository to register the local parcel with Cloudera Manager.
  4. On the Key Trustee Server cluster home page, click the More Options (ellipsis) icon, then click Add Service.
  5. Select Key Trustee Server, then click Continue.
  6. Use the Add Key Trustee Server Service wizard to install Key Trustee Server.
  7. Key Trustee Server appears in the cluster components list.
After installing Key Trustee Server using Cloudera Manager, continue to Securing Key Trustee Server Host.