Securing sensitive information using a Secure Credential Storage Provider

You can set up Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).

Cloudera Manager stores a variety of sensitive information required for normal operations. This sensitive information is stored in plain text, either in the Cloudera Manager database or on disk.

You can configure Cloudera Manager to encrypt these sensitive values by configuring a Secure Credential Store that stores an encryption key to encrypt and decrypt sensitive information that are then stored in encrypted form only in the Cloudera Manager database. The following types of sensitive information can be encrypted:
  • Configuration parameters containing usernames and passwords (except for those needed for Cloudera Manager to access the CSP).
  • Kerberos keytabs
You can choose from the following types of CSP:
  • Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
  • Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends using Vault from Hashicorp.

Known Limitations

There are currently the following limitations:
  • Sensitive information that was written to the database before the CSP is enabled will not be encrypted automatically. If you change any sensitive information, it will be encrypted.

    You can regenerate Kerberos credentials, which will then be encrypted. To regenerate the credentials, go to Administration > Security > Kerberos.

  • Auto-TLS keys are not encrypted.
  • The CSP Keystore Password, CSP Truststore Password and CM Truststore Password are not encrypted, as they are needed to connect to the CSP.
  • The Cloudera Manager High Availability configuration is currently not supported with the Cloudera Manager Secure Credential Provider.