Resource Planning for Data at Rest Encryption

For production environments, you must configure high availability for:

  • Key Trustee Server
  • Key Trustee KMS
  • Navigator HSM KMS

Key Trustee Server and Key Trustee KMS HA Planning

For high availability, you must provision two dedicated Key Trustee Server hosts and at least two dedicated Key Trustee KMS hosts, for a minimum of four separate hosts. Do not run multiple Key Trustee Server or Key Trustee KMS services on the same physical host, and do not run these services on hosts with other cluster services. Doing so causes resource contention with other important cluster services and defeats the purpose of high availability. See Data at Rest Encryption Reference Architecture for more information.

The Key Trustee KMS workload is CPU intensive. Cloudera recommends using machines with capabilities equivalent to your NameNode hosts, with Intel CPUs that support AES-NI for optimum performance.

Make sure that each host is secured and audited. Only authorized key administrators should have access to them. Red Hat provides security guides for RHEL:

For hardware sizing information, see Data at Rest Encryption Requirements for recommendations for each Cloudera Navigator encryption component.

For Cloudera Manager deployments, deploy Key Trustee Server in its own dedicated cluster. Deploy Key Trustee KMS in each cluster that uses Key Trustee Server. See Data at Rest Encryption Reference Architecture for more information.

For information about enabling Key Trustee Server high availability, refer to Configuring Key Trustee Server High Availability Using Cloudera Manager or Configuring Key Trustee Server High Availability Using the Command Line.

For information about enabling Key Trustee KMS high availability, refer to Enabling Key Trustee KMS High Availability.

Navigator HSM KMS HA Planning

For Navigator HSM KMS high availability, you need to provision two dedicated HSM KMS hosts only.

Make sure that each host is secured and audited. Only authorized key administrators should have access to them. Red Hat provides security guides for RHEL:

For hardware sizing information, see Data at Rest Encryption Requirements for recommendations for each Cloudera Navigator encryption component.

For information about enabling HSM KMS high availability, refer to Enabling Navigator HSM KMS High Availability.

Virtual Machine Considerations

If you are using virtual machines, make sure that the resources (such as virtual disks, CPU, and memory) for each Key Trustee Server and Key Trustee KMS host are allocated to separate physical hosts. Hosting multiple services on the same physical host defeats the purpose of high availability, because a single machine failure can take down multiple services.

To maintain the security of the cryptographic keys, make sure that all copies of the virtual disk (including any back-end storage arrays, backups, snapshots, and so on) are secured and audited with the same standards you apply to the live data.