Data at Rest Encryption Reference Architecture

Encrypting Data at Rest - Deploying Ranger KMS with database

The following diagram illustrates product component functional relationships:

The Ranger KMS database is an external database.

For the NavEncrypt to RANGER KMS link, kerberos authentication is mandatory. TLS is highly recommended.

Cloudera Manager supports multiple Ranger KMS instances , scaled horizontally, which provides High Availability.

Encrypting Data at Rest - Deploying Ranger KMS with KTS

To isolate Key Trustee Server from other CDP services, you must deploy Key Trustee Server on dedicated hosts in a separate cluster in Cloudera Manager. Deploy Ranger KMS on dedicated hosts in the same cluster as the CDP services that require access to Key Trustee Server. This provides the following benefits:

  • You can restart your CDP cluster without restarting Key Trustee Server, avoiding interruption to other clusters or clients that use the same Key Trustee Server instance.
  • You can manage the Key Trustee Server upgrade cycle independently of other cluster components.
  • You can limit access to the Key Trustee Server hosts to authorized key administrators only, reducing the attack surface of the system.
  • Resource contention is reduced. Running Key Trustee Server and Ranger KMS services on dedicated hosts prevents other cluster services from reducing available resources (such as CPU and memory) and creating bottlenecks.

If you are using virtual machines for the Key Trustee Server or Ranger KMS hosts, see "Resource Planning for Data at Rest Encryption".