Preparing for Encryption Using Cloudera Navigator Encrypt
Before you can encrypt data, you must prepare a storage repository to hold the encrypted data and a mount point through which to access the encrypted data. The storage repository and mount point must exist before encrypting data using the navencrypt-move command.
Data stored and retrieved from the repository is encrypted and decrypted transparently.
- Encrypting a directory that contains or is contained within a mount point for another service (including Navigator Encrypt and NFS). See Encrypting Data for more information.
- Encrypting immutable files or directories containing immutable files.
- Installation or use in chroot environments, including creating chroot environments within an encrypted directory.
- Encrypting HDFS data files.
Navigator Encrypt Commands
|navencrypt||Manage, update, and verify your data.|
|navencrypt-prepare||Prepare your system for encryption by creating mount-points and specifying storage.|
|navencrypt-prepare --undo||Remove a mountpoint that is no longer in use.|
|navencrypt-move||Encrypt/decrypt your data to/from the encrypted filesystem.|
|navencrypt-profile||Generate process profile information in JSON format.|
|navencrypt-module-setup||Build or rebuild the Navigator Encrypt kernel module.|
Preparing for Encryption
- Creating internal encryption keys
- Registering internal keys in Navigator Key Trustee
- Registering mount point in /etc/navencrypt/ztab
- Mounting current mount point
- Establishing encryption method (dm-crypt for devices, ecryptfs for directories)
- Block-level encryption with dm-crypt: Protect your data by encrypting the entire device. This option enables full disk encryption and is optimized for some system configurations. Block-level encryption can be used with logical devices such as a loop device.
- File-level encryption with ecryptfs: Protect your data by mounting an encrypted filesystem on top of an existing one. Enables transparent access to encrypted data without modifying your storage.
In the following example, we will use the directory /navencrypt/encrypted-storage for the encrypted storage and /navencrypt/mount-point for the mount point. If you have specific space/partition requirements, you can select a different directory, although Cloudera highly recommends that you place the encrypted directory on the same partition as the data you are planning to encrypt.
$ sudo navencrypt-prepare <data_storage_directory> <mount_point>
When specifying the storage path and the mount point path, do not use a trailing / in the path names. Both directories must exist prior to running the navencrypt-prepare command. They are not automatically created.
$ sudo mkdir -p /navencrypt/encrypted-storage /navencrypt/mount-point $ sudo navencrypt-prepare /navencrypt/encrypted-storage /navencrypt/mount-point
$ sudo systemctl start navencrypt-mount
To demonstrate the difference between the two directories, this example uses different directories for the encrypted storage and the mount point. It is also possible to store and access the data using the same directory.
To see the effects of these commands, run df -h. This command displays the partition information about your system. You should see an ecryptfs partition located at /navencrypt/encrypted-storage, and mounted at /navencrypt/mount-point.
After you have successfully prepared a client for encryption, you can encrypt and decrypt data using the commands described in Encrypting and Decrypting Data Using Cloudera Navigator Encrypt.
Navigator Encrypt and Device UUIDs
Navigator Encrypt has always prepared and identified devices simply using a device name, such as /dev/sdb1 or /dev/loop0. However, we know that using a device name or label could lead to a conflict and impact system operations.
Navigator Encrypt also supports preparing devices using a UUID, in addition to device name. This UUID is simply a symbolic link to the actual device, and is created when preparing a device with Navigator Encrypt during a navencrypt-prepare operation.
The advantage of using a device UUID is that if a device’s name changes, the UUID associated with that device does not change. To ensure that Navigator Encrypt recognizes devices even when the device name changes, enter the command:
navencrypt-prepare --use-uuid /dev/sda1 /mountpoint
navencrypt-prepare --undo-force /dev/disk/by-uuid/3a602a15-11f7-46ac-ae98-0a51e1b25cf9 navencrypt-prepare --undo /dev/disk/by-uuid/3a602a15-11f7-46ac-ae98-0a51e1b25cf9
Block-Level Encryption with dm-crypt
- The first parameter is the block device that you want to store the encrypted file system in. Because this device stores all of the encrypted data, it must be as large as or larger than the target data. The device must exist and be empty. Supported storage devices are:
- The second parameter is the mount point for the encrypted file system. This is the location where you can access the encrypted data stored in the first parameter. The mount point must already exist. It is not created by the navencrypt-prepare command.
The entire device in the first parameter is used for encrypted data.
$ sudo /usr/sbin/navencrypt-prepare /dev/sda1 /mnt/dm_encrypted Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: /dev/urandom Filesystem: ext4 Verifying MASTER key against Navigator Key Trustee (wait a moment) ... OK Generation Encryption Keys with /dev/urandom ... OK Preparing dmCrypt device (--use-urandom) ... OK Creating ext4 filesystem ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /dev/sda1 ... OK
Block-Level Encryption with a Loop Device
A block-level encrypted device can be a physical device or a storage space treated as a device. See Migrating eCryptfs-Encrypted Data to dm-crypt for instructions on migrating data encrypted using eCryptfs to use dm-crypt with a loop device.
$ sudo dd if=/dev/zero of=/dmcrypt/storage bs=1G count=500
The dd command above creates a 500 GB file. Modify the bs and count values to generate the required file size.
After generating the file, run losetup -f to view unused loop devices. Use the available loop device with the navencrypt-prepare -d command, demonstrated below.
$ sudo bash -c 'echo "loop" > /etc/modules-load.d/loop.conf' $ sudo bash -c 'echo "options loop max_loop=8" > /etc/modprobe.d/loop_options.conf'
The data storage directory name (/dmcrypt/storage in the previous example) must contain only alphanumeric characters, spaces, hyphens (-), or underscores (_). Other special characters are not supported.
$ losetup -f /dev/loop0 $ sudo navencrypt-prepare -d /dmcrypt/storage /dev/loop0 /dmcrypt/mountpoint Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: OpenSSL Filesystem: ext4 Options: Verifying MASTER key against KeyTrustee (wait a moment) ... OK Generation Encryption Keys with OpenSSL ... OK Assigning '/dev/loop0'->'/dmcrypt/storage' ... OK Preparing dmCrypt device ... OK Creating ext4 filesystem ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /dev/loop0 ... OK
# <target mount-dir> <source device> <type> <options> /dmcrypt/mountpoint /dev/loop0 luks key=keytrustee,nav_datastore='/dmcrypt/storage'
After you have created the loop device, continue with the instructions in Block-Level Encryption with dm-crypt.
Filesystem-Level Encryption with eCryptfs
- The first parameter is the storage directory you want to store the encrypted file system in. Because this directory will hold all of the encrypted data, it must be as large as or larger than the target data.
- The second parameter is the mount point for the encrypted file system. This is the location where you can access the encrypted data stored in the location identified by the first parameter.
While the data is technically stored at the location identified by the first parameter, you can only access the data from the mount point identified by the second parameter. Consider this when choosing where to mount your data.
After choosing these two parameters and following the interactive console (discussed further in Preparing for Encryption), you are ready to encrypt your data.
Navigator Encrypt 3.5 and higher supports a new command option, navencrypt-prepare --undo. This command reverses the operations from the regular navencrypt-prepare command by removing the device from Navigator Encrypt control and removing registered encryption keys.
$ sudo navencrypt-prepare /path/to/storage /path/to/mountpoint Type MASTER passphrase: Encryption Type: eCryptfs Cipher: aes Key Size: 256 Random Interface: OpenSSL Filesystem: ext4 Options: Verifying MASTER key against Navigator Key Trustee (wait a moment) ... OK Generation Encryption Keys with OpenSSL ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /path/to/mountpoint ... OK $ sudo navencrypt-prepare --undo /path/to/storage Type MASTER passphrase: Verifying MASTER key against Navigator Key Trustee (wait a moment) ... OK Umounting /path/to/mountpoint ... OK
Pass-through Mount Options for navencrypt-prepare
Navigator Encrypt 3.5 and higher provides the ability to specify options to pass to the mount command that is executed during /etc/init.d/navencrypt-mount start (systemctl start navencrypt-mount on RHEL 7). These options are specified with the -o option when preparing a mountpoint with the navencrypt-prepare command.
$ sudo navencrypt-prepare -o discard,resize /mnt/t2 /mnt/t2 Type MASTER passphrase: Encryption Type: eCryptfs Cipher: aes Key Size: 256 Random Interface: OpenSSL Filesystem: ext4 Options: discard,resize Verifying MASTER key against Navigator Key Trustee(wait a moment) ... OK Generation Encryption Keys with OpenSSL ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /mnt/t2 ... OK
$ cat /etc/navencrypt/ztab /mnt/t2 /mnt/t2 ecryptfs key=keytrustee,cipher=aes,keysize=256,discard,resize
Options can be added or removed to existing mount points prepared with versions of Navigator Encrypt prior to 3.5 by editing the /etc/navencrypt/ztab file and adding the comma-separated options (no spaces) to the end of each line as seen in the previous example above.
$ mount /mnt/t2 on /mnt/t2 type ecryptfs (rw,ecryptfs_sig=6de3db1e87077adb,ecryptfs_unlink_sigs,noauto,\ ecryptfs_cipher=aes,ecryptfs_key_bytes=32,discard,resize)
Pass-through mount options work for both dm-crypt and eCryptfs. For a list of available mount options, see the man pages for cryptsetup and ecryptfs respectively.