Installing Cloudera Navigator Encrypt
Learn about installing Navigator Encrypt, setting up TLS certificates on a Navigator Encrypt client, entropy requirements , and uninstalling and reinstalling NavEncrypt.
See Data at Rest Encryption Requirements for more information about encryption and Navigator Encrypt requirements.
Setting Up an Internal Repository
You must create an internal repository to install or upgrade Navigator Encrypt. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Package Repository.
Installing Navigator Encrypt (RHEL-Compatible)
Learn how to install RHEL compatible Navigator Encrypt. The steps below show an example of how to install NavEncrypt on a cluster running Red Hat Linux.
Installing Navigator Encrypt (SLES-12)
Learn how to install SLES 12 compatible Navigator Encrypt . The steps below show an example of installing SLES 12 compatible NavEncrypt, assuming the user is root.
Installing Navigator Encrypt (SLES-15)
Learn how to install SLES 15 compatible Navigator Encrypt. The following steps show an example of installing SLES 15 compatible Navigator Encrypt, assuming the user is root.
Installing Navigator Encrypt (Ubuntu)
Learn how to install Ubuntu compatible Navigator Encrypt . The steps below show an example of installing Ubuntu compatible NavEncrypt, assuming the user is root.
Installing for Ranger KMS
If you are using Ranger KMS as your Key Management server you need to do the following:
Setting Up TLS for Navigator Encrypt Clients
Transport Layer Security (TLS) certificates are used to secure communication with Navigator Encrypt. Cloudera strongly recommends using certificates signed by a trusted Certificate Authority (CA).
[root@navencrypt-1 ~]# systemctl stop navencrypt-mount
Stopping navencrypt directories
* Umounting /dev/nvtest/test1 ... [ OK ]
* Umounting /dev/nvtest/test2 ... [ OK ]
* Unloading module ... [ OK ]
[root@navencrypt-1 ~]# update-ca-trust enable
[root@navencrypt-1 ~]# cp dd-1.lab.usa.company.com.pem /etc/pki/ca-trust/source/anchors/
[root@navencrypt-1 ~]# update-ca-trust
[root@navencrypt-1 ~]# systemctl stop navencrypt-mount
Starting navencrypt directories
* Mounting '/dev/nvtest/test1' [ OK ]
* Mounting '/dev/nvtest/test2'
Entropy Requirements
Many cryptographic operations, such as those used with TLS or HDFS encryption, require a sufficient level of system entropy to ensure randomness; likewise, Navigator Encrypt needs a source of random numbers to ensure good performance.
Hence, you need to make sure that the hosts running Navigator Encrypt (as well as Key Trustee Server, Key Trustee KMS) and have sufficient entropy to perform cryptographic operations.
You can check the available entropy on a Linux system by running the following command:
cat /proc/sys/kernel/random/entropy_avail
The output displays the entropy currently available. Check the entropy several times to determine the state of the entropy pool on the system. On hosts running a Linux kernel version less than 5.10.119, if the entropy is consistently low (500 or less), you must increase it by installing rng-tools version 4 or higher, and starting the rngd service. On hosts running a Linux kernel version of 5.10.119 or higher the entropy version will be stable at 256, unless there are special entropy requirements in place, no further action is required.
Install rng_tools Using Package Manager
Learn how to install rng_tools using Package Manager.
If version 4 or higher of the rng-tools
package is available from the
local package manager (yum
), then install it directly from the package
manager. If the appropriate version of rng-tools
is unavailable, see
Building rng-tools From Source.
For RHEL 7, run the following commands:
sudo yum install rng-tools
cp /usr/lib/systemd/system/rngd.service /etc/systemd/system/
systemctl daemon-reload
systemctl start rngd
systemctl enable rngd
Building rng-tools From Source
If you are unable to install rng-tools
using package manager, you can
build from source.
To install and start rngd
and build from source:
- Download the source
code:
sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz
- Extract the source
code:
tar xvfz rng-tools-4.tar.gz
- Enter the
rng-tools-4
directory:cd rng-tools-4
- Run
./configure
- Run
make
- Run
make install
rng-tools
, start the rngd
daemon by running the following command as
root:sudo rngd --no-tpm=1 -o /dev/random
For improved performance, Cloudera recommends configuring Navigator Encrypt to read
directly from /dev/random
instead of /dev/urandom
.
To configure Navigator Encrypt to use /dev/random
as an entropy
source, add --use-random
to the navencrypt-prepare
command when you are setting up Navigator Encrypt.
Uninstalling and Reinstalling Navigator Encrypt
Learn how to uninstall and reinstall Navigator Encrypt.
Uninstalling Navigator Encrypt
sudo yum remove navencrypt
sudo yum remove navencrypt-kernel-module
These commands remove the software itself. On RHEL-compatible OSes, the
/etc/navencrypt
directory is not removed as part of the uninstallation.
Remove it manually if required.
Reinstalling Navigator Encrypt
After uninstalling Navigator Encrypt, repeat the preceding installation instructions for your distribution.
When Navigator Encrypt is uninstalled, the configuration files and directories located in
/etc/navencrypt
are not removed. Consequently, you do not need to use
the navencrypt register
command during reinstallation. If you no longer
require the previous installation configuration information in the directory
/etc/navencrypt
, you can remove its contents.