Configuring the Key Management Server (KMS)
Hadoop Key Management Server (KMS) is a cryptographic key management server based on the Hadoop KeyProvider API. It provides a KeyProvider implementation client that interacts with the KMS using the HTTP REST API. Both the KMS and its client support HTTP SPNEGO Kerberos authentication and TLS/SSL-secured communication. The KMS is a Java-based web application that uses a preconfigured Jetty server bundled with the Hadoop distribution.
For instructions on securing the KMS, see Securing the Key Management Server
(KMS)
.
- Java KeyStore KMS - The default Hadoop KMS included in CDP that uses a file-based Java KeyStore (JKS) for its backing keystore. For parcel-based installations, no additional action is required to install or upgrade the KMS. Cloudera strongly recommends not using Java Keystore KMS in production environments.
- Key Trustee KMS - A custom KMS that uses Cloudera Navigator Key Trustee Server
for its backing keystore instead of the file-based Java KeyStore (JKS) used by the default
Hadoop KMS. Cloudera strongly recommends using Key Trustee KMS in production environments
to improve the security, durability, and scalability of your cryptographic key management.
For more information about the architecture and components involved in encrypting data at
rest for production environments, see
Encrypting Data at Rest
andData at Rest Reference Architecture
. Also, integrating Key Trustee Server with Cloudera Navigator Key HSM provides an additional layer of protection. - Navigator KMS Services backed by Thales HSM - A custom KMS that uses a supported Thales Hardware Security Module (HSM) as its backing keystore. This KMS service provides the highest level of key isolation to customers who require it.
- Navigator KMS Services backed by Luna HSM - A custom KMS that uses a supported Luna Hardware Security Module (HSM) as its backing keystore. This KMS provides the highest level of key isolation to customers who require it.
Configuring the KMS Using Cloudera Manager
For instructions about configuring the KMS and its clients using the command line for package-based installations, continue reading:
Configuring the KMS Cache Using Cloudera Manager
By default, the KMS caches keys to reduce the number of interactions
with the key provider. You can disable the cache by setting the
hadoop.kms.cache.enable property to
false.
The cache is only used with the getCurrentKey(),
getKeyVersion() and getMetadata()
methods.
For the getCurrentKey() method, entries are cached
for a maximum of 30000 milliseconds to prevent stale
keys.
For the getKeyVersion() method, entries are cached
with a default inactivity timeout of 600000
milliseconds (10 minutes).
<property>
<name>hadoop.kms.cache.enable</name>
<value>true</value>
</property>
<property>
<name>hadoop.kms.cache.timeout.ms</name>
<value>600000</value>
</property>
<property>
<name>hadoop.kms.current.key.cache.timeout.ms</name>
<value>30000</value>
</property>Configuring the Audit Log Aggregation Interval
Audit logs are generated for GET_KEY_VERSION,
GET_CURRENT_KEY, DECRYPT_EEK, and
GENERATE_EEK operations.
Entries are aggregated by user, key, and operation for a configurable interval, after which the number of aggregated operations by the user for a given key is written to the audit log.
hadoop.kms.aggregation.delay.ms property to
:<property>
<name>hadoop.kms.aggregation.delay.ms</name>
<value>10000</value>
</property>