Upgrade Navigator Encrypt to 7.1.x

How to upgrade Navigator Encrypt from CDH to CDP Private Cloud 7.1.x.

Running Upgrading a Cluster will not upgrade Navigator Encrypt, because Navigator Encrypt is not part of the overall CDH parcel and needs to be upgraded separately. Upgrading NavEncrypt can be done at any point after performing Upgrading Cloudera Manager.

You can upgrade from Navigator Encrypt 3.16-6.2 to 7.1.x. If you are upgrading from an older version of Navigator Encrypt, first upgrade to 3.16+ using Upgrading Cloudera Navigator Encrypt.

Upgrading Navigator Encrypt (RHEL/Centos/Oracle)

  1. Back up the /etc/navencrypt directory before upgrading.

    If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.

  2. Add your internal package repository to Cloudera Manager following the instructions in Configuring a Local Package Repository.
  3. Install the Cloudera Repository:
    1. Add the internal repository you created by following the instructions in Configuring a Local Package Repository (see Configuring Hosts to Use the Internal Repository.)
    2. Import the GPG key by running the following command:
      sudo rpm --import https://archive.cloudera.com/p/navencrypt7/7.1.9.0/redhat9/yum/RPM-GPG-KEY-cloudera
  4. Stop Navigator Encrypt:
    sudo systemctl stop navencrypt-mount
  5. Upgrade Navigator Encrypt client:
    sudo yum update navencrypt
  6. Start Navigator Encrypt:
    sudo systemctl start navencrypt-mount
  7. If using an RSA master key file, then you should change the master key to use OAEP padding:
    # navencrypt key --change --rsa-oaep
    ...
    >> Choose NEW MASTER key type:
     1) Passphrase (single)
     2) Passphrase (dual)
     3) RSA private key
    Select: 3
    Type MASTER RSA key file:
    Type MASTER RSA key passphrase:
    To check the type of padding currently in use:
    # navencrypt key --get-rsa-padding
    Type your Master key
    Type MASTER RSA key file:
    Type MASTER RSA key passphrase:
    
    Verifying Master Key against keytrustee (wait a moment)...
    RSA_PKCS1_OAEP_PADDING

Upgrading Navigator Encrypt (SLES)

  1. Back up the /etc/navencrypt directory before upgrading.

    If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.

  2. Add your internal package repository to Cloudera Manager following the instructions in Configuring a Local Package Repository.
  3. Install the Cloudera Repository:
    1. Add the internal repository you created by following the instructions in Configuring a Local Package Repository (see Configuring Hosts to Use the Internal Repository.)
    2. Import the GPG key by running the following command:
      sudo rpm --import https://archive.cloudera.com/p/navencrypt7/7.1.9.0/redhat9/yum/RPM-GPG-KEY-cloudera
  4. Stop Navigator Encrypt:
    sudo service navencrypt-mount stop
  5. Upgrade the Kernel Module Package (KMP):
    sudo zypper update cloudera-navencryptfs-kmp-kernel_flavor
    Replace kernel_flavor with the kernel flavor for your system. Navigator Encrypt supports the default, xen, and ec2 kernel flavors.
  6. Upgrade Navigator Encrypt client:
    sudo zypper update navencrypt
  7. Enable Unsupported Modules:
    Edit /etc/modprobe.d/unsupported-modules and set allow_unsupported_modules to 1. For example:
    #
    # Every kernel module has a flag 'supported'. If this flag is not set loading
    # this module will taint your kernel. You will not get much help with a kernel
    # problem if your kernel is marked as tainted. In this case you firstly have
    # to avoid loading of unsupported modules.
    #
    # Setting allow_unsupported_modules 1 enables loading of unsupported modules
    # by modprobe, setting allow_unsupported_modules 0 disables it. This can
    # be overridden using the --allow-unsupported-modules command line switch.
    allow_unsupported_modules 1
  8. Start Navigator Encrypt:
    sudo service navencrypt-mount start
  9. If using an RSA master key file, then you should change the master key to use OAEP padding:
    # navencrypt key --change --rsa-oaep
    ...
    >> Choose NEW MASTER key type:
     1) Passphrase (single)
     2) Passphrase (dual)
     3) RSA private key
    Select: 3
    Type MASTER RSA key file:
    Type MASTER RSA key passphrase:
    To check the type of padding currently in use:
    # navencrypt key --get-rsa-padding
    Type your Master key
    Type MASTER RSA key file:
    Type MASTER RSA key passphrase:
    
    Verifying Master Key against keytrustee (wait a moment)...
    RSA_PKCS1_OAEP_PADDING

Upgrading Navigator Encrypt (Ubuntu)

  1. Back up the /etc/navencrypt directory before upgrading.

    If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.

  2. Add your internal package repository to Cloudera Manager following the instructions in Configuring a Local Package Repository.
  3. Install the Cloudera Repository:
    1. Add the internal repository you created by following the instructions in Configuring a Local Package Repository (see Configuring Hosts to Use the Internal Repository.)
    2. Run:
      echo "deb http://repo.example.com/path/to/ubuntu/stable $DISTRIB_CODENAME main" | sudo tee -a /etc/apt/sources.list
    3. Import the GPG key by running the following command:
      wget -O - https://archive.cloudera.com/p/navencrypt7/7.1.9.0/redhat9/yum/RPM-GPG-KEY-cloudera | apt-key add -
    4. Update the repository index:
      apt-get update
  4. Stop Navigator Encrypt:
    sudo service navencrypt-mount stop
  5. Upgrade Navigator Encrypt client:
    sudo apt-get install navencrypt
  6. Start Navigator Encrypt:
    sudo service navencrypt-mount start
  7. If using an RSA master key file, then you should change the master key to use OAEP padding:
    # navencrypt key --change --rsa-oaep
    ...
    >> Choose NEW MASTER key type:
     1) Passphrase (single)
     2) Passphrase (dual)
     3) RSA private key
    Select: 3
    Type MASTER RSA key file:
    Type MASTER RSA key passphrase:
    To check the type of padding currently in use:
    # navencrypt key --get-rsa-padding
    Type your Master key
    Type MASTER RSA key file:
    Type MASTER RSA key passphrase:
    
    Verifying Master Key against keytrustee (wait a moment)...
    RSA_PKCS1_OAEP_PADDING