Configuring encryption for EBS volumes of Cloudera Data Hub clusters on AWS

You can configure encryption for Amazon Elastic Block Store (EBS) volumes used by the Cloudera Data Hub cluster's VM instances to store data.

Amazon offers the option to encrypt EBS volumes and RDS instances using the default key from Amazon's Key Management System (KMS) or using an external customer-managed KMS (CMK). By default, Cloudera Data Hub clusters use the same default key from Amazon’s KMS or CMK as the parent environment but you have an option to pass a different CMK during Cloudera Data Hub cluster creation.

Encryption is configured for block devices and root devices. When encryption is configured for a given cluster, it is automatically applied to all the disk devices of any new VM instances added as a result of cluster scaling or repair.

Environment and Cloudera Data Hub encryption options

To learn about encryption options that Cloudera offers for Data Lake, FreeIPA, and Cloudera Data Hub clusters, refer to Environment and Cloudera Data Hub encryption options.

AWS prerequisites for using a CMK

You can use your existing AWS CMK or create a new AWS CMK. For detailed requirements, refer to AWS Requirements: Customer managed encryption keys.

Create a Cloudera Data Hub cluster with encrypted EBS volumes

EBS encryption can be configured for a Cloudera Data Hub cluster on the Hardware and Storage page of the advanced create cluster wizard in the Cloudera web interface.

Note the following:
  • If you previously configured encryption on environment level, the CMK that was provided will be used by default for all Cloudera Data Hub clusters running in that environment. You can overwrite it for a specific Cloudera Data Hub by providing another CMK during Cloudera Data Hub cluster creation. If no CMK was provided during environment registration, a default key from Amazon’s KMS is used by default to encrypt Cloudera Data Hub clusters running in this environment. See Adding a customer managed encryption key to a Cloudera environment running on AWS.
  • During Cloudera Data Hub cluster creation, you can specify an encryption key Customer Managed Key (CMK).
  • The Encryption configuration option is available per Cloudera Data Hub host group. The default setting is Encryption: Not encrypted. To enable encryption, perform the following steps in the create cluster wizard for all host groups for which you would like to use encryption.
  1. Under Instance Type you can see Encryption Supported next to all instance types for which encryption is supported. Ensure that encryption is supported for the instance type that you would like to use.
  2. Click on the icon next to the chosen host group.
  3. Enable the Enable Customer-Managed Keys toggle button.
  4. Under Select Encryption key, select the CMK that you would like to use.
Once the cluster is running, you can confirm that encryption is enabled by navigating to the details of the block devices or root devices in the EC2 console on AWS. The device should be marked as “Encrypted” and the “KMS Key ARN” is listed.