Preparing for Encryption Using Cloudera Navigator Encrypt

Before you can encrypt data, you must prepare a storage repository to hold the encrypted data and a mount point through which to access the encrypted data. The storage repository and mount point must exist before encrypting data using the navencrypt-move command.

Data stored and retrieved from the repository is encrypted and decrypted transparently.

Cloudera Navigator Encrypt does not support:

Encrypting a directory that contains or is contained within a mount point for another service (including Navigator Encrypt and NFS). See Encrypting Data for more information.
Encrypting immutable files or directories containing immutable files.
Installation or use in chroot environments, including creating chroot environments within an encrypted directory.
Encrypting HDFS data files.

Navigator Encrypt commands

The following table lists the commands used to encrypt data:

Table 1. Navigator Encrypt Commands
Command	Description
`navencrypt`	Manages, updates, and verifies your data.
`navencrypt-prepare`	Prepares your system for encryption by creating mount-points and specifying storage.
`navencrypt-prepare --undo`	Removes a mountpoint that is no longer in use.
`navencrypt-move`	Encrypts/decrypts your data to/from the encrypted file system.
`navencrypt-profile`	Generates process profile information in JSON format.
`navencrypt-module-setup`	Builds or rebuilds the Navigator Encrypt kernel module.
`navencrypt-gen-keytab`	Generates keytab file used with Ranger KMS.
`navencrypt-convert <devices>` Where `<devices>` refers to a list of block devices under Navigator Encrypt control.	Ensures that the device supplied is eligible to be converted to LUKS 2, and then converts it.

LUKS2 support

LUKS implements a platform-independent standard on-disk format for use in various tools. Version 2 of LUKS supports various features. For details, see the LUKS documentation. Navigator Encrypt defaults to use whichever version of LUKS the platform uses, for example, on RHEL 9 it is LUKS2. To view which drives are using which version of LUKS, execute the following command:

navencrypt-mount status

When upgrading Navigator Encrypt, Navigator Encrypt does nothing to the LUKS version, but supplies a tool, called navencrypt-convert, to upgrade a LUKS1 version to LUKS2 version. This command ensures that the device supplied is eligible to be converted to LUKS2. This command also ensures that Navigator Encrypt is not running, as drives cannot be mounted while being converted.

Usage:: navencrypt-convert <devices>; Where, <devices> refers to a list of block devices under Navigator Encrypt control. Device names should be in the form /dev/sdx, /dev/sdyy, and so on. Loop devices are not supported.

Preparing for encryption

To get an in-depth look at the details behind the navencrypt-prepare command, or to use a unique configuration, use the interactive prompt by executing navencrypt-prepare with no options. This launches an interactive console that guides you through the following operations:

Creating internal encryption keys
Registering internal keys with the Key Manager Service
Registering mount point in /etc/navencrypt/ztab
Mounting current mount point
Establishing encryption method (dm-crypt for devices)

Using the console, you can choose how you want your data stored and accessed. Navigator Encrypt offers block-level encryption with dm-crypt, which protects your data by encrypting the entire device. This enables full disk encryption and is optimized for some system configurations. You can use block-level encryption with logical devices such as a loop device.

See Block-level encryption with dm-crypt for more information.

To prepare for encryption, you must specify a location to store the encrypted data and a mount point through which to access the data. The storage location and mount point must be created before encrypting data.

Block-level encryption with dm-crypt

When choosing block-level encryption in the interactive console, you must specify two parameters:

The first parameter is the block device that you want to store the encrypted file system in. Because this device stores all of the encrypted data, it must be as large as or larger than the target data. The device must exist and be empty. Supported storage devices are:
- Physical block devices (for example, a disk device)
- Virtual block devices (for example, a block device created by LVM)
- Loop devices (see Block-level encryption with a loop device for instructions on creating a loop device)
  important
  If the block device to be used for encryption was previously used by the host, entries for it must be removed from the file /etc/fstab before running the navencrypt-prepare command.
The second parameter is the mount point for the encrypted file system. This is the location where you can access the encrypted data stored in the first parameter. The mount point must already exist. It is not created by the navencrypt-prepare command.

The entire device in the first parameter is used for encrypted data.

After specifying these two parameters and following the interactive console (discussed further in Preparing for encryption), you are ready to encrypt your data.

The syntax for the prepare command is as follows:

sudo navencrypt-prepare <device_name> <mount_point>

When specifying the mount point path, do not use a trailing / in the path names. The mount point directory must exist prior to running the navencrypt-prepare command.

Run the following command after the navencrypt-prepare command completes:

sudo systemctl start navencrypt-mount

The following example shows successful output from a navencrypt-prepare command using dm-crypt for block-level encryption:

$ sudo /usr/sbin/navencrypt-prepare urandom /mnt/dm_encrypted
Type MASTER passphrase:
Encryption Type:  dmCrypt (LUKS)
Cipher:        aes
Key Size:  256
Random Interface: /dev/urandom
Filesystem:    ext4
Verifying MASTER key against Key Manager Service(wait a moment) ... OK
Generation Encryption Keys with /dev/urandom       ... OK
Preparing dmCrypt device (--use-urandom)               ... OK
Creating ext4 filesystem                               ... OK
Registering Encryption Keys (wait a moment)        ... OK
Mounting /dev/sda1                                    ... OK

After you have successfully prepared a client for encryption, you can encrypt and decrypt data using the commands described in Encrypting and Decrypting Data Using Cloudera Navigator Encrypt.

Block-level encryption with a loop device

A block-level encrypted device can be a physical device or a storage space treated as a device.

To configure a loop device, use the dd command to create a storage space:

sudo dd if=/dev/zero of=/dmcrypt/storage bs=1G count=500

The dd command above creates a 500 GB file. Modify the bs and count values to generate the required file size.

After generating the file, run losetup -f to view unused loop devices. Use the available loop device with the navencrypt-prepare -d command, demonstrated below.

Specifically for loop devices, the -d parameter enables Navigator Encrypt to manage the loop device association. You no longer need to use the losetup command to associate the file with the loop device, and the loop device is automatically prepared at boot. For RHEL 7-compatible OS, you must run the following commands to ensure that a loop device is available at boot:

sudo bash -c 'echo "loop" > /etc/modules-load.d/loop.conf'
sudo bash -c 'echo "options loop max_loop=8" > /etc/modprobe.d/loop_options.conf'

The data storage directory name (/dmcrypt/storage in the previous example) must contain only alphanumeric characters, spaces, hyphens (-), or underscores (_). Other special characters are not supported.

The following example shows the output from a successful command:

$ losetup -f
/dev/loop0
$ sudo navencrypt-prepare -d /dmcrypt/storage /dev/loop0 /dmcrypt/mountpoint
Type MASTER passphrase:

Encryption Type:  dmCrypt (LUKS)
Cipher:           aes
Key Size:         256
Random Interface: OpenSSL
Filesystem:       ext4
Options:

Verifying MASTER key against Key Manager Service(wait a moment)   ... OK
Generation Encryption Keys with OpenSSL                   ... OK
Assigning '/dev/loop0'->'/dmcrypt/storage'                ... OK
Preparing dmCrypt device                                  ... OK
Creating ext4 filesystem                                  ... OK
Registering Encryption Keys (wait a moment)               ... OK
Mounting /dev/loop0                                       ... OK

For upgraded Navigator Encrypt clients that already use loop devices, you can enable Navigator Encrypt to manage the loop device file association (instead of configuring the system to run the losetup command at boot) by adding the nav_datastore option to the entry in /etc/navencrypt/ztab. For example:

# <target mount-dir>        <source device>      <type>    <options>
/dmcrypt/mountpoint     /dev/loop0      luks    key=keytrustee,nav_datastore='/dmcrypt/storage'

After you have created the loop device, continue with the instructions in Block-level encryption with dm-crypt.

Pass-through mount options for `navencrypt-prepare`

Navigator Encrypt provides the ability to specify options to pass to the mount command that is executed during /etc/init.d/navencrypt-mount start (systemctl start navencrypt-mount). These options are specified with the -o option when preparing a mountpoint with the navencrypt-prepare command.

The following shows an example navencrypt-prepare command output when passing mount options with the -o option:

$ sudo navencrypt-prepare -o discard,resize /mnt/t2 /mnt/t2
Type MASTER passphrase:

Encryption Type:  dmCrypt (LUKS)
Cipher:           aes
Key Size:         256
Random Interface: OpenSSL
Filesystem:       ext4
Options:          discard,resize

Verifying MASTER key against Key Manager Service(wait a moment)     ... OK
Generation Encryption Keys with OpenSSL                               ... OK
Registering Encryption Keys (wait a moment)                           ... OK
Mounting /mnt/t2                                                      ... OK

You can verify the results by viewing the /etc/navencrypt/ztab file:

$ cat /etc/navencrypt/ztab
/mnt/t2 /mnt/t2 dmcrypt key=keytrustee,cipher=aes,keysize=256,discard,resize

Options can be added or removed to existing mount points prepared with versions of Navigator Encrypt prior to 3.5 by editing the /etc/navencrypt/ztab file and adding the comma-separated options (no spaces) to the end of each line as seen in the previous example above.

To see the mounted file systems and options, run mount:

$ mount
/mnt/t2 on /mnt/t2 type dmcrypt (rw,dmcrypt_sig=6de3db1e87077adb,ecryptfs_unlink_sigs,noauto,\
dmcrypt_cipher=aes,dmcrypt_key_bytes=32,discard,resize)

For a list of available mount options, see the man pages for cryptsetup and dmCrypt respectively.