Configuring a Secure Credential Storage Provider for Cloudera Manager (Technical Preview)
You can configure Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).
- Sensitive information that was written to the DB before
the CSP was enabled will not be encrypted automatically. If you change
any sensitive information, it will be encrypted.
You can regenerate Kerberos credentials, which will then be encrypted. To regenerate the credentials, go to
. - You cannot change the type of Secure Credential Store once you have enabled it.
- Auto-TLS keys are not encrypted.
- No rotation of encryption keys.
- The CSP Keystore Password, CSP Truststore Password and CM Truststore Password are not encrypted, as they are needed to connect to the CSP in the first place
Cloudera Manager stores a variety of sensitive information required for normal operations. This sensitive information is stored in plain text, either in the Cloudera Manager database or on disk.
You can configure Cloudera Manager to encrypt these sensitive values by
configuring a Secure Credential Store that stores an encryption key to
encrypt and decrypt sensitive information that are then stored in
encrypted form only in the Cloudera Manager database. The following
types of sensitive information can be encrypted:
-
Configuration parameters containing usernames and passwords (except for those needed for Cloudera Manager to access the CSP).
-
Kerberos keytabs
You can choose from the following types of Secure Credential Store:
- None – Sensitive information is not encrypted in the Cloudera Manager database.
- Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends a Vault from Hashicorp.
- Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.