Installing Cloudera Navigator Encrypt

Prerequisites

See Data at Rest Encryption Requirements for more information about encryption and Navigator Encrypt requirements.

Installing Navigator Encrypt (RHEL-Compatible)

Install the Cloudera Repository
Create or edit the /etc/yum.repos.d/gazzang.repo file (for example, sudo vi /etc/yum.repos.d/gazzang.repo) and add the following text. Replace USER and PASSWD with the username and password provided by Cloudera. If you do not know your username or password, contact your Cloudera account team.
```
[gazzang_stable]
name=RHEL $releasever - gazzang.com - base
baseurl=https://USER:PASSWD@archive.gazzang.com/redhat/stable/$releasever
enabled=1
gpgcheck=1
gpgkey=http://archive.gazzang.com/gpg_gazzang.asc
```
Important: If you are using CentOS, add the following line to the CentOS base repository:
```
exclude=python-psycopg2*
```
By default, the base repository is located at /etc/yum.repos.d/CentOS-Base.repo. If you have an internal mirror of the base repository, update the correct file for your environment.
Import the GPG key by running the following command:
```
$ sudo rpm --import http://archive.gazzang.com/gpg_gazzang.asc
```
Install Kernel Libraries
For Navigator Encrypt to run as a kernel module, you must download and install the kernel development headers. Each kernel module is compiled specifically for the underlying kernel version. Running as a kernel module allows Navigator Encrypt to provide high performance and completely transparency to user-space applications.

To determine your current kernel version, run uname -r.
To install the development headers for your current kernel version, run:
```
$ sudo yum install kernel-headers-$(uname -r) kernel-devel-$(uname -r)
```
If yum cannot find these packages, it displays an error similar to the following:
```
Unable to locate package <packagename>.
```
In this case, do one of the following to proceed:
- Find and install the kernel headers package by using a tool like RPM Pbone .
- Upgrade your kernel to the latest version. If you upgrade the kernel, you must reboot after upgrading and select the kernel from the grub menu to make it active.
(RHEL or CentOS Only) Install dkms
Because of a broken dependency in all versions of RHEL or CentOS, you must manually install the dkms package:
```
$ sudo yum install http://repository.it4i.cz/mirrors/repoforge/redhat/el6/en/x86_64/rpmforge/RPMS/dkms-2.1.1.2-1.el6.rf.noarch.rpm
```
Note: This link is provided as an example for RHEL 6 only. For other versions, be sure to use the correct URL.

Install Navigator Encrypt

Install the Navigator Encrypt client using the yum package manager:

$ sudo yum install navencrypt

If you attempt to install Navigator Encrypt with incorrect or missing kernel headers, you see a message like the following:

Building zncryptfs 3.4.2 DKMS kernel module...

#################### BUILDING ERROR ####################



Creating symlink /var/lib/dkms/zncryptfs/3.4.2/source ->
                 /usr/src/zncryptfs-3.4.2

DKMS: add completed.
Error! echo
Your kernel headers for kernel 2.6.32-220.el6.x86_64 cannot be found at
/lib/modules/2.6.32-220.el6.x86_64/build or /lib/modules/2.6.32-220.el6.x86_64/source.

#################### BUILDING ERROR ####################

Failed installation of zncryptfs 3.4.2 DKMS kernel module !

To recover, see Navigator Encrypt Kernel Module Setup.

Installing Navigator Encrypt (SLES)

Install the Cloudera Repository
Create and open the Cloudera repo file with the following command:
```
$ sudo vi /etc/zypp/repos.d/gazzang.repo
```
Populate gazzang.repo with the following text:
```
[gazzang-stable]
name=gazzang.com
enabled=1
autorefresh=0
baseurl=https://USER:PASSWD@archive.gazzang.com/sles/stable/11
enabled=1
gpgcheck=1
gpgkey=http://archive.gazzang.com/gpg_gazzang.asc
```
Replace USER and PASSWD with the username and password provided by Cloudera. If you do not know your username or password, contact Cloudera Support or your Cloudera account team.
Import the GPG key by running the following command:
```
$ sudo rpm --import http://archive.gazzang.com/gpg_gazzang.asc
```
Install NTP
The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable events are consistent across systems. Install and start NTP with the following commands:
```
$ sudo zypper install ntp
# /etc/init.d/ntp start
```
Install the Kernel Module Package and Navigator Encrypt Client
Install the kernel module package (KMP) and Navigator Encrypt client with zypper:
```
$ sudo zypper install cloudera-navencryptfs-kmp-<kernel_flavor>
$ sudo zypper install navencrypt
```
Replace <kernel_flavor> with the kernel flavor for your system. Navigator Encrypt supports the default, xen, and ec2 kernel flavors.

Enable Unsupported Modules

Edit /etc/modprobe.d/unsupported-modules and set allow_unsupported_modules to 1. For example:

#
# Every kernel module has a flag 'supported'. If this flag is not set loading
# this module will taint your kernel. You will not get much help with a kernel
# problem if your kernel is marked as tainted. In this case you firstly have
# to avoid loading of unsupported modules.
#
# Setting allow_unsupported_modules 1 enables loading of unsupported modules
# by modprobe, setting allow_unsupported_modules 0 disables it. This can
# be overridden using the --allow-unsupported-modules command line switch.
allow_unsupported_modules 1

Installing Navigator Encrypt (Debian or Ubuntu)

Install the Cloudera Repository

Add the Cloudera repository with the command for your distribution:

Ubuntu

$ echo "deb http://archive.gazzang.com/ubuntu/stable $DISTRIB_CODENAME main" | sudo tee -a /etc/apt/sources.list

Debian

$ echo "deb http://archive.gazzang.com/debian/stable $DISTRIB_CODENAME main" | sudo tee -a /etc/apt/sources.list

Import the GPG key by running the following command:

$ wget -O - https://archive.gazzang.com/gpg_gazzang.asc | apt-key add -

Update the repository index with apt-get update.

Install NTP
The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable events are consistent across systems. Install and start NTP with the following commands:
```
$ sudo apt-get install ntp
$ sudo /etc/init.d/ntp start
```
Install Kernel Headers
Determine your kernel version by running uname -r, and install the appropriate headers:
```
$ sudo apt-get install linux-headers-$(uname -r)
```
Install the Navigator Encrypt Client
Install Navigator Encrypt:
```
$ sudo apt-get install navencrypt
```

Post Installation

To ensure that Navigator Encrypt and NTP start after a reboot, add them to the start order with chkconfig:

$ sudo chkconfig --level 235 navencrypt-mount on
$ sudo chkconfig --level 235 ntpd on

AES-NI and RDRAND

The Advanced Encryption Standard New Instructions (AES-NI) instruction set is designed to improve the speed of encryption and decryption using AES. Some newer processors come with AES-NI, which can be enabled on a per-server basis.

Both the eCryptfs and dm-crypt back ends for Navigator Encrypt can automatically detect and use AES-NI if it is available. If you are uncertain whether AES-NI is available on a device, run the following command to verify:

$ grep -o aes /proc/cpuinfo

To determine whether the AES-NI kernel module is loaded, run the following command:

$ sudo lsmod | grep aesni

If the CPU supports AES-NI but the kernel module is not loaded, see your operating system documentation for instructions on installing the aesni-intel module.

Navigator Encrypt needs a source of random numbers if it is using dm-crypt as its back end. Use rng-tools version 4 or later to seed the system’s entropy pool, using the RDRAND instruction. To install and start rngd:

Download the source code:

$ sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz

Extract the source code:
```
tar xvfz rng-tools-4.tar.gz
```
Enter the rng-tools-4 directory:
```
$ cd rng-tools-4
```
Run ./configure
Run make
Run make install

Once you have installed rng-tools, start the rngd daemon by running the following command as root:

$ sudo rngd --no-tpm=1 -o /dev/random

For improved performance, Cloudera recommends configuring Navigator Encrypt to read directly from /dev/random instead of /dev/urandom.

To configure Navigator Encrypt to use /dev/random as an entropy source, add --use-random to the navencrypt-prepare command when you are setting up Navigator Encrypt.

Uninstalling and Reinstalling Navigator Encrypt

Uninstalling Navigator Encrypt

For RHEL-compatible OSes:

$ sudo yum remove navencrypt
$ sudo yum remove zncrypt-kernel-module

These commands remove the software itself. On RHEL-compatible OSes, the /etc/navencrypt directory is not removed as part of the uninstallation. Remove it manually if required.

Reinstalling Navigator Encrypt

After uninstalling Navigator Encrypt, repeat the installation instructions for your distribution in Installing Cloudera Navigator Encrypt.

When Navigator Encrypt is uninstalled, the configuration files and directories located in /etc/navencrypt are not removed. Consequently, you do not need to use the navencrypt register command during reinstallation. If you no longer require the previous installation configuration information in the directory /etc/navencrypt, you can remove its contents.

Categories: Encryption | Installing | Navigator | All Categories

Installing Key Trustee KMS

Installing and Deploying CDH Using the Command Line