Securing sensitive information using a Secure Credential Storage Provider
You can set up Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).
Cloudera Manager stores a variety of sensitive information required for normal operations. This sensitive information is stored in plain text, either in the Cloudera Manager database or on disk.
- Configuration parameters containing usernames and passwords (except for those needed for Cloudera Manager to access the CSP).
- Kerberos keytabs
- Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
- Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends using Vault from Hashicorp.
- Sensitive information that was written to the database before the
CSP is enabled will not be encrypted automatically. If you change
any sensitive information, it will be encrypted.
You can regenerate Kerberos credentials, which will then be encrypted. To regenerate the credentials, go to.
- Auto-TLS keys are not encrypted.
- The CSP Keystore Password, CSP Truststore Password and CM Truststore Password are not encrypted, as they are needed to connect to the CSP.
- The Cloudera Manager High Availability configuration is currently not supported with the Cloudera Manager Secure Credential Provider.