Upgrade Navigator Encrypt to 7.1.x
How to upgrade Navigator Encrypt from CDH to CDP Private Cloud 7.1.x.
Running Upgrading a Cluster
will not upgrade Navigator Encrypt, because
Navigator Encrypt is not part of the overall CDH parcel and needs to be upgraded
separately. Upgrading NavEncrypt can be done at any point after performing
Upgrading Cloudera Manager
.
You can upgrade from Navigator Encrypt 3.16-6.2 to 7.1.x. If you are upgrading from
an older version of Navigator Encrypt, first upgrade to 3.16+ using Upgrading
Cloudera Navigator Encrypt
.
Upgrading Navigator Encrypt (RHEL/Centos/Oracle)
- Back up the /etc/navencrypt directory before
upgrading.
If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.
- Add your internal package repository to Cloudera Manager following the
instructions in
Configuring a Local Package Repository
. - Install the Cloudera Repository:
- Add the internal repository you created by following the instructions in
Configuring a Local Package Repository
(seeConfiguring Hosts to Use the Internal Repository
.) - Import the GPG key by running the following command:
sudo rpm --import https://archive.cloudera.com/p/navencrypt7/7.1.9.0/redhat9/yum/RPM-GPG-KEY-cloudera
- Add the internal repository you created by following the instructions in
- Stop Navigator
Encrypt:
sudo systemctl stop navencrypt-mount
- Upgrade Navigator Encrypt client:
sudo yum update navencrypt
- Start Navigator
Encrypt:
sudo systemctl start navencrypt-mount
- If using an RSA master key file, then you should change the master key to use
OAEP
padding:
To check the type of padding currently in use:# navencrypt key --change --rsa-oaep ... >> Choose NEW MASTER key type: 1) Passphrase (single) 2) Passphrase (dual) 3) RSA private key Select: 3 Type MASTER RSA key file: Type MASTER RSA key passphrase:
# navencrypt key --get-rsa-padding Type your Master key Type MASTER RSA key file: Type MASTER RSA key passphrase: Verifying Master Key against keytrustee (wait a moment)... RSA_PKCS1_OAEP_PADDING
Upgrading Navigator Encrypt (SLES)
- Back up the /etc/navencrypt directory before
upgrading.
If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.
- Add your internal package repository to Cloudera Manager following the
instructions in
Configuring a Local Package Repository
. - Install the Cloudera Repository:
- Add the internal repository you created by following the
instructions in
Configuring a Local Package Repository
(seeConfiguring Hosts to Use the Internal Repository
.) - Import the GPG key by running the following command:
sudo rpm --import https://archive.cloudera.com/p/navencrypt7/7.1.9.0/redhat9/yum/RPM-GPG-KEY-cloudera
- Add the internal repository you created by following the
instructions in
- Stop Navigator
Encrypt:
sudo service navencrypt-mount stop
- Upgrade the Kernel Module Package
(KMP):
Replace kernel_flavor with the kernel flavor for your system. Navigator Encrypt supports thesudo zypper update cloudera-navencryptfs-kmp-kernel_flavor
default
,xen
, andec2
kernel flavors. - Upgrade Navigator Encrypt client:
sudo zypper update navencrypt
- Enable Unsupported Modules:Edit /etc/modprobe.d/unsupported-modules and set
allow_unsupported_modules
to 1. For example:# # Every kernel module has a flag 'supported'. If this flag is not set loading # this module will taint your kernel. You will not get much help with a kernel # problem if your kernel is marked as tainted. In this case you firstly have # to avoid loading of unsupported modules. # # Setting allow_unsupported_modules 1 enables loading of unsupported modules # by modprobe, setting allow_unsupported_modules 0 disables it. This can # be overridden using the --allow-unsupported-modules command line switch. allow_unsupported_modules 1
- Start Navigator
Encrypt:
sudo service navencrypt-mount start
- If using an RSA master key file, then you should change the master key to
use OAEP
padding:
To check the type of padding currently in use:# navencrypt key --change --rsa-oaep ... >> Choose NEW MASTER key type: 1) Passphrase (single) 2) Passphrase (dual) 3) RSA private key Select: 3 Type MASTER RSA key file: Type MASTER RSA key passphrase:
# navencrypt key --get-rsa-padding Type your Master key Type MASTER RSA key file: Type MASTER RSA key passphrase: Verifying Master Key against keytrustee (wait a moment)... RSA_PKCS1_OAEP_PADDING
Upgrading Navigator Encrypt (Ubuntu)
- Back up the /etc/navencrypt directory before
upgrading.
If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.
- Add your internal package repository to Cloudera Manager following the
instructions in
Configuring a Local Package Repository
. - Install the Cloudera Repository:
- Add the internal repository you created by following the
instructions in
Configuring a Local Package Repository
(seeConfiguring Hosts to Use the Internal Repository
.) - Run:
echo "deb http://repo.example.com/path/to/ubuntu/stable $DISTRIB_CODENAME main" | sudo tee -a /etc/apt/sources.list
- Import the GPG key by running the following command:
wget -O - https://archive.cloudera.com/p/navencrypt7/7.1.9.0/redhat9/yum/RPM-GPG-KEY-cloudera | apt-key add -
- Update the repository index:
apt-get update
- Add the internal repository you created by following the
instructions in
- Stop Navigator
Encrypt:
sudo service navencrypt-mount stop
- Upgrade Navigator Encrypt client:
sudo apt-get install navencrypt
- Start Navigator
Encrypt:
sudo service navencrypt-mount start
- If using an RSA master key file, then you should change the master key to
use OAEP
padding:
To check the type of padding currently in use:# navencrypt key --change --rsa-oaep ... >> Choose NEW MASTER key type: 1) Passphrase (single) 2) Passphrase (dual) 3) RSA private key Select: 3 Type MASTER RSA key file: Type MASTER RSA key passphrase:
# navencrypt key --get-rsa-padding Type your Master key Type MASTER RSA key file: Type MASTER RSA key passphrase: Verifying Master Key against keytrustee (wait a moment)... RSA_PKCS1_OAEP_PADDING