Managing Credential Storage Provider

After you enable Credential Storage Provider (CSP) successfully, you have the following options on Cloudera Manager UI to manage the CSP operations.

Minimum Required Role: Full Administrator. This feature is not available when using Cloudera Manager to manage Data Hub clusters.

Update Credential Storage Type

Use this option when you work on the following scenarios:
  • When you want to update your Vault based CSP to an Embedded CSP
  • When you want to update your Embedded CSP to a Vault based CSP

Key Rotation

To ensure consistent protection of your sensitive data from internal attacks, Cloudera recommends you to rotate encryption keys in a period of time (at least once every 4 to 5 years). This option decrypts the sensitive records and encrypts them again with a new encryption key and uses this key to encrypt any new records.

Disable Credential Storage

If you are already using a Vault based CSP and need to switch to a new Vault configuration, you need to disable CSP and enable CSP again with the new Vault configuration. This option decrypts all configurations encrypted through CSP and later disables CSP. By default, this option does not decommission your Vault server. Also, this option does not delete any older encryption keys saved in the CSP.