Encrypting and Decrypting Data Using Cloudera Navigator Encrypt
After the encrypted file system is created and initialized, it is ready
to hold data. All encryption and decryption functionality is performed
with a single command: navencrypt-move.
Do not manually create directories or files under a Cloudera Navigator
Encrypt mount point; use only the navencrypt-move command
to encrypt and decrypt data. See Preparing for Encryption Using Cloudera Navigator Encrypt for more
information about mount points.
After encrypting a file or directory, all data written and read through
the mount point is transparently encrypted and decrypted.
Before You Begin🔗
Navigator Encrypt does not support encrypting data in certain
environments, including the following:
Do not attempt to encrypt a directory that contains or is
contained within a mount point for another service (including
Navigator Encrypt and NFS). For example:
If your encryption mount point is
/var/lib/navencrypt/mount, do not attempt to
encrypt /var, /var/lib,
/var/lib/navencrypt,
/var/lib/navencrypt/mount, or anything under
/var/lib/navencrypt/mount/.
If you have mounted an NFS file system at /mnt/home, do not attempt
to encrypt /mnt, /mnt/home, or anything under
/mnt/home.
Do not attempt to encrypt immutable files or directories containing
immutable files.
Do not use Navigator Encrypt within a chroot
environment, or create a chroot environment within an
encrypted directory.
If your Key Trustee Server is managed by Cloudera Manager, do
not encrypt the Cloudera Manager database with Navigator
Encrypt; doing so prevents Cloudera Manager from starting.
Encrypting Data🔗
Do not manually create directories or files under a Navigator Encrypt
mount point; use only the navencrypt-move command to
encrypt data.
Here is an example command to encrypt data, with an explanation for
each option:
Main command interface for all actions that require moving
data either to or from the encrypted file system. For more
information see the navencrypt-moveman page (man
navencrypt-move).
encrypt
Identifies the cryptographic operation, in this case,
encrypting data. The decrypt option is
described later in Decrypting Data.
@<category>
The access category that is applied to the data being
encrypted. Encrypted data is protected by process-based access controls that restrict access to
only the processes that you allow. You can use any naming
convention you want (the @ symbol is required),
but Cloudera recommends keeping it simple and memorable. For
example, you can use a name referencing the data type being
encrypted, such as @mysql for a MySQL
deployment. See Listing Categories
for instructions on viewing existing categories.
<directory_or_file_to_encrypt>
The data that you want to encrypt. This can be a single
file or an entire directory. Navigator Encrypt starts after the
system boots, so do not encrypt required system files and
directories (such as the root partition, /var,
and so on). Some examples of recommended data directories to
encrypt are /var/lib/mysql/data,
/db/data, and so on.
<encrypted_mount_point>
Where you want to store the data. This is the path to the
mount point specified during the navencrypt-prepare command.
When a file is encrypted, a symbolic link (symlink) is created which points to a mount
point @<category> directory. The navencrypt-move
command moves all specified data to the encrypted file system and replaces it with a symlink
to the mount point for that encrypted file system.
Encrypting a directory is similar to encrypting a file. The following
command encrypts a
directory:
In this command, a directory is specified instead of a file name, and a symlink is created
for that particular directory. To see the effects of this command,
run:
ls -l <directory_to_encrypt>du -h <encrypted_storage_directory>
The output demonstrates the new file system layout. Everything that was in the target
directory is now securely stored in the encrypted file system.
Decrypting Data🔗
The decryption command requires only the path to the original data,
which is now a symbolic link, as an argument. The following example
demonstrates how to decrypt a file using the
navencrypt-move command: