The Cloudera Data Platform (CDP) implements both in-flight and at-rest encryption for data. In-flight encryption is enabled using TLS. In CDP Private Cloud, at-rest encryption is enabled in HDFS through integration with a Key Management Server (KMS) and a Key Trustee Server (KTS). In some cases, a Hardware Security Module (HSM) might be integrated with the KTS to enhance key storage functionality. In CDP Public Cloud, server-side encryption (SSE) is used.
Encryption key access high availability
CDP utilizes the Ranger KMS to manage key requests between a cluster and the keystore. CDP supports using either a Key Trustee Server or database to act as the keystore.
To enable fault tolerant access between the cluster and the keystore, you should enable Ranger KMS in high availability mode. If utilizing a RangerKMS with database as the keystore, you must also implement appropriate database-level high availability to ensure keys are accessible. If utilizing the Ranger KMS with KTS, you must also implement the KTS service as a highly available pair. Implementing Ranger KMS with KTS is the preferred method for configuring HDFS Transparent Data Encryption.
KTS high availability applies to read operations only. If either KTS fails, the client automatically retries fetching keys from the functioning server. New write operations (for example, creating new encryption keys) are not allowed unless both KTS are operational.
Encryption key material is intended to be implemented on a per-cluster basis. Replication of keys across clusters is not supported. When replicating encrypted data between clusters, Replication Manager re-encrypts data in-flight using appropriate keys from the destination cluster.
If utilizing an HSM, ensure that the HSM is implemented in a highly available way. This is dependent upon each HSM manufacturer.
For information about Ranger KMS and KTS, see Configuring Ranger KMS for High Availability and Setting up Key Trustee Server High Availability.
For information about setting up robust data protection, security, and governance for individual clusters, see CDP Security Reference Architecture.
Encryption key backup and recovery
In case of service failure causing keystore corruption, you should regularly back up the keystore. For Ranger KMS with database, you need to back up the underlying keystore database. For Ranger KMS with KTS, you must back up the KTS databases and configuration files. You must also back up client configuration files and keys for KTS clients, such as Navigator Encrypt.