Cloudera Navigator Data Encryption Overview

Cloudera Navigator includes a turnkey encryption and key management solution for data at rest, whether data is stored in HDFS or on the local Linux filesystem. Cloudera Navigator data encryption comprises the following components:
  • Cloudera Navigator Key Trustee Server

    Key Trustee Server is an enterprise-grade virtual safe-deposit box that stores and manages cryptographic keys. With Key Trustee Server, encryption keys are separated from the encrypted data, ensuring that sensitive data is protected in the event that unauthorized users gain access to the storage media.

  • Cloudera Navigator Key HSM

    Key HSM is a service that allows Key Trustee Server to integrate with a hardware security module (HSM). Key HSM enables Key Trustee Server to use an HSM as the root of trust for cryptographic keys, taking advantage of Key Trustee Server’s policy-based key and security asset management capabilities while satisfying existing internal security requirements regarding treatment of cryptographic materials.

  • Cloudera Navigator Encrypt

    Navigator Encrypt is a client-side service that transparently encrypts data at rest without requiring changes to your applications and with minimal performance lag in the encryption or decryption process. Advanced key management with Key Trustee Server and process-based access controls in Navigator Encrypt enable organizations to meet compliance regulations and ensure unauthorized parties or malicious actors never gain access to encrypted data.

  • Key Trustee KMS

    For HDFS Transparent Encryption, Cloudera provides Key Trustee KMS, a customized key management server (KMS) that uses Key Trustee Server for robust and scalable encryption key storage and management instead of the file-based Java KeyStore used by the default Hadoop KMS.

  • Cloudera Navigator HSM KMS

    Also for HDFS Transparent Encryption, Navigator HSM KMS provides a customized key management server (KMS) that uses third-party HSMs to provide the highest level of key isolation, storing key material on the HSM. When using the Navigator HSM KMS, encryption zone key material originates on the HSM and never leaves the HSM. While Navigator HSM KMS allows for the highest level of key isolation, it also requires some overhead for network calls to the HSM for key generation, encryption and decryption operations.

  • Cloudera Navigator HSM KMS Services and HA

    Navigator HSM KMSs running on a single node fulfill the functional needs of users, but do not provide the non-functional qualities of service necessary for production deployment (primarily key data high availability and key data durability). You can achieve high availability (HA) of key material through the HA mechanisms of the backing HSM. However, metadata cannot be stored on the HSM directly, so the HSM KMS provides for high availability of key metadata via a built-in replication mechanism between the metadata stores of each KMS role instance. This release supports a two-node topology for high availability. When deployed using this topology, there is a durability guarantee enforced for key creation and roll such that a key create or roll operation will fail if it cannot be successfully replicated between the two nodes.

Cloudera Navigator data encryption provides:
  • High-performance transparent data encryption for files, databases, and applications running on Linux
  • Separation of cryptographic keys from encrypted data
  • Centralized management of cryptographic keys
  • Integration with hardware security modules (HSMs) from Thales and SafeNet
  • Support for Intel AES-NI cryptographic accelerator for enhanced performance in the encryption and decryption process
  • Process-Based Access Controls
Cloudera Navigator data encryption can be deployed to protect different assets, including (but not limited to):
  • Databases
  • Log files
  • Temporary files
  • Spill files
  • HDFS data
For planning and deployment purposes, this can be simplified to two types of data that Cloudera Navigator data encryption can secure:
  1. HDFS data
  2. Local filesystem data
The following table outlines some common use cases and identifies the services required.
Encrypting Data at Rest
Data Type Data Location Key Management Additional Services Required
HDFS HDFS Key Trustee Server Key Trustee KMS
Metadata databases, including:
  • Hive Metastore
  • Cloudera Manager
  • Cloudera Navigator Data Management
  • Sentry
Local filesystem Key Trustee Server Navigator Encrypt
Temp/spill files for CDH components with native encryption:
  • Impala
  • YARN
  • MapReduce
  • Flume
  • HBase
  • Accumulo
Local filesystem N/A (temporary keys are stored in memory only) None (enable native temp/spill encryption for each component)
Temp/spill files for CDH components without native encryption:
  • Kafka
  • Sqoop2
  • HiveServer2
Local filesystem Key Trustee Server Navigator Encrypt
Log files Local filesystem Key Trustee Server Navigator Encrypt

Log Redaction

For instructions on using Navigator Encrypt to secure local filesystem data, see Cloudera Navigator Encrypt.

Cloudera Navigator Data Encryption Architecture

The following diagram illustrates how the Cloudera Navigator data encryption components interact with each other:

Key Trustee clients include Navigator Encrypt and Key Trustee KMS. Encryption keys are created by the client and stored in Key Trustee Server.

Cloudera Navigator Data Encryption Integration with an EDH

The following diagram illustrates how the Cloudera Navigator data encryption components integrate with an Enterprise Data Hub (EDH):

For more details on the individual components of Cloudera Navigator data encryption, continue reading: