Cloudera Docs

Data at Rest Encryption Requirements

Encryption comprises several components, each with its own requirements.

Overview

Data at rest encryption protection can be applied at a number of levels within Hadoop:

  • OS filesystem-level
  • Network-level
  • HDFS-level (protects both data at rest and in transit)

For more information on the components, concepts, and architecture for encrypting data at rest, see "Encrypting Data at Rest".

Product Compatibility Matrix

See "Product Compatibility Matrix for Cloudera Navigator Encryption" for the individual compatibility matrices for each Cloudera Navigator encryption component.

Entropy Requirements

Cryptographic operations require entropy to ensure randomness.

You can check the available entropy on a Linux system by running the following command:
cat /proc/sys/kernel/random/entropy_avail

The output displays the entropy currently available. Check the entropy several times to determine the state of the entropy pool on the system. If the entropy is consistently low (500 or less), you must increase it by installing rng-tools and starting the rngd service.

For RHEL 7, run the following commands:
sudo yum install rng-tools
cp /usr/lib/systemd/system/rngd.service /etc/systemd/system/
systemctl daemon-reload
systemctl start rngd
systemctl enable rngd

Make sure that the hosts running Ranger KMS, and Navigator Encrypt have sufficient entropy to perform cryptographic operations.

Ranger KMS Requirements

Recommended Hardware and Supported Distributions

The recommended minimum hardware specifications are as follows:

  • Processor: 1 GHz 64-bit quad core
  • Memory: 8 GB RAM
  • Storage: 20 GB on moderate- to high-performance disk drives

For information on the supported Linux distributions, see "Product Compatibility Matrix for Cloudera Navigator Encryption".

The Ranger KMS workload is CPU-intensive. Cloudera recommends using machines with capabilities equivalent to your NameNode hosts, with Intel CPUs that support AES-NI for optimum performance. Also, Cloudera strongly recommends that you enable TLS for both the HDFS and the Ranger services to prevent the passage of plain text key material between the KMS and HDFS data nodes.

Navigator Encrypt Requirements

Operating System Requirements

  • For supported Linux distributions, see "Product Compatibility Matrix for Cloudera Navigator Encryption".

Supported command-line interpreters:

  • sh (Bourne)
  • bash (Bash)
  • dash (Debian)

Network Requirements

For new Ranger KMS installations, Navigator Encrypt initiates TCP traffic over port 9494 (HTTPS) to Ranger KMS.

Internet Access

You must have an active connection to the Internet to download many package dependencies, unless you have internal repositories or mirrors containing the dependent packages.

Maintenance Window

Data is not accessible during the encryption process. Plan for system downtime during installation and configuration.

Administrative Access

To enforce a high level of security, all Navigator Encrypt commands require administrative (root) access (including installation and configuration). If you do not have administrative privileges on your server, contact your system administrator before proceeding.

Network Time Protocol (NTP)

The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable events are consistent across systems.

Package Dependencies

Navigator Encrypt requires these packages, which are resolved by your distribution package manager during installation:

  • dkms
  • keyutils
  • openssl
  • lsof
  • gcc
  • cryptsetup

These packages may have other dependencies that are also resolved by your package manager. Installation works with gcc, gcc3, and gcc4.