Encrypting and Decrypting Data Using Cloudera Navigator Encrypt

Once the encrypted file system is created and initialized, it is ready to hold data. All encryption and decryption functionality is performed with a single command: navencrypt-move.

Encrypting Data

Here is an example command to encrypt data, with an explanation for each option:

$ sudo navencrypt-move encrypt @<category> <directory_to_encrypt> <encrypted_mount_point>

`navencrypt-move` Command Options
Command Option	Explanation
`navencrypt-move`	Main command interface for all actions that require moving data either to or from the encrypted file system. For more information see the `navencrypt-move` `man` page (`man navencrypt-move`).
`encrypt`	Identifies the direction to move data. In this case, we are moving data into the encrypted file system (encrypting it). The `decrypt` parameter is a valid option here as well, which produces the opposite effect. Note: By default, all Navigator Encrypt encryption commands require free space equal to twice the size of the encrypted data. If your environment does not have enough free space, add `--per-file` to the end of the command. This moves each file individually. Per-file encryption only requires free space equal to twice the size of the largest individual file, but is a slower operation.
`@<category>`	This is the access category that will be applied to the data being encrypted. When moving data into the encrypted filesystem, you will be protecting it with process-based access controls that will restrict access to only the processes that you allow. The naming convention of the category is entirely up to you (the `@` is required), but it is typically a good idea to keep it simple and memorable. Depending on what data you are encrypting, it is usually best to pick a name referencing the data encrypted. For example, a `@mysql` category would be fitting for a MySQL deployment.
`<directory to encrypt>`	This is the data that you want to encrypt. This can be a single file or an entire directory. The Navigator Encrypt process starts after the system boots, so you should not encrypt system-required files and directories (for example, the root partition, the entire `/var` directory, etc.). Some examples of recommended data directories to encrypt are `/var/lib/mysql/data`, `/db/data`, etc.
`<encrypted mount-point>`	The last parameter is where you want the data to be stored. This is the path to the mount-point specified during the `navencrypt-prepare` command. In the example from the previous section above, this is `/var/lib/navencrypt/mount`.

When a file is encrypted, a symbolic link (symlink) is created which points to a mount-point @<category> directory. The navencrypt-move command actually moves all specified data to the encrypted filesystem and replaces it with a symlink to the mount-point for that encrypted filesystem.

Encrypting a directory is similar to encrypting a file. The following command encrypts a directory:

$ sudo /usr/sbin/navencrypt-move encrypt @mycategory /path/directory_to_encrypt/ /path/to/mount

In this command, a directory is specified instead of a filename, and a symlink is created for that particular directory. To see the effects of this command, run:

$ ls -l <directory_to_encrypt>
$ du -h <encrypted_storage_directory>

The output demonstrates the new filesystem layout. Everything that was once in the target directory is now securely stored inside of the encrypted filesystem, fully encrypted and protected from outside access.

Decrypting Data

The decryption command works in a similar way to the encrypt command. The following example demonstrates how to decrypt a file using the navencrypt-move command:

$ sudo /usr/sbin/navencrypt-move decrypt /path/file_to_decrypt

As with encryption, you can specify a directory instead of a file:

$ sudo /usr/sbin/navencrypt-move decrypt /path/directory_to_decrypt

Categories: Encryption | Navigator | All Categories

Preparing for Encryption Using Cloudera Navigator Encrypt

Migrating eCryptfs-Encrypted Data to dm-crypt