Preparing for Encryption Using Cloudera Navigator Encrypt

Before you can encrypt data, you must prepare a storage repository to hold the encrypted data. Data stored and retrieved from the repository is encrypted and decrypted transparently.

Cloudera Navigator Encrypt does not support:
  • Encrypting a directory that contains or is contained within a mount point for another service (such as NFS or another Navigator Encrypt mount point). See Encrypting Data for more information.
  • Installation or use in chroot environments, including creating chroot environments within an encrypted directory.

Navigator Encrypt Commands

The following table lists the commands used to encrypt data:
Navigator Encrypt Commands
Command Description
navencrypt Manage, update, and verify your data.
navencrypt-prepare Prepare your system for encryption by creating mount-points and specifying storage.
navencrypt-prepare --undo Remove a mountpoint that is no longer in use.
navencrypt-move Encrypt/decrypt your data to/from the encrypted filesystem.
navencrypt-profile Generate process profile information in JSON format.
navencrypt-module-setup Build or rebuild the Navigator Encrypt kernel module.

Preparing for Encryption

To get an in-depth look at the details behind the navencrypt-prepare command, or to use a unique configuration, use the interactive prompt by executing navencrypt-prepare with no options. This launches an interactive console that guides you through the following operations:
  • Creating internal encryption keys
  • Registering internal keys in Navigator Key Trustee
  • Registering mount point in /etc/navencrypt/ztab
  • Mounting current mount point
  • Establishing encryption method (dm-crypt for devices, ecryptfs for directories)
Using the console, you can choose how you want your data stored and accessed. Navigator Encrypt offers two different types of encryption:
  • Block-level encryption with dm-crypt: Protect your data by encrypting the entire device. This option enables full disk encryption and is optimized for some system configurations. Block-level encryption can be used with logical devices such as a loop device.
  • File-level encryption with ecryptfs: Protect your data by mounting an encrypted filesystem on top of an existing one. Enables transparent access to encrypted data without modifying your storage.

See Block-Level Encryption with dm-crypt and Filesystem-Level Encryption with eCryptfs for more information.

In order to prepare for encryption, you must set a location to store the encrypted data. In the following example we will use the directory /navencrypt/encrypted-storage and /navencrypt/mount-point. If you have specific space/partition requirements, you can select a different directory, though Cloudera highly recommends that you place the encrypted directory on the same partition as the data you are planning to encrypt.

The syntax for the prepare command is as follows:
$ sudo navencrypt-prepare <data_storage_directory> <mount_point>

When specifying the storage path and the mount point path, do not use a trailing / in the path names. Both directories must exist prior to running the navencrypt-prepare command; they are not automatically created.

To create the encrypted partition, create the mount point and storage directories, and then use the navencrypt-prepare utility:
$ sudo mkdir -p /navencrypt/encrypted-storage /navencrypt/mount-point
$ sudo navencrypt-prepare /navencrypt/encrypted-storage /navencrypt/mount-point

To demonstrate the difference between the two directories, this example uses different directories for the encrypted storage and the mount point. It is also possible to store and access the data using the same directory.

To see the effects of these commands, run df -h. This command displays the partition information about your system. You should see an ecryptfs partition located at /navencrypt/encrypted-storage, and mounted at /navencrypt/mount-point.

After you have successfully prepared a client for encryption, you can encrypt and decrypt data using the commands described in Encrypting and Decrypting Data Using Cloudera Navigator Encrypt.

Block-Level Encryption with dm-crypt

When choosing block-level encryption during the interactive console, you must specify two parameters:
  1. The first parameter is the block device you want to store the encrypted file system in. Because this device stores all of the encrypted data, it must be as large as or larger than the target data. The device must be empty. Supported storage devices are:
    • Physical block devices (for example, a disk device)
    • Virtual block devices (for example, a block device created by LVM)
    • Loop devices
  2. The second parameter is the mount point for the encrypted file system. This is the location where you can access the encrypted data stored in the first parameter.

The entire device in the first parameter will be used for encrypted data.

After choosing these two parameters and following the interactive console (discussed further in Preparing for Encryption), you are ready to encrypt your data. The following example shows successful output from a navencrypt-prepare command using dm-crypt for block-level encryption:
$ sudo /usr/sbin/navencrypt-prepare /dev/sda1 /mnt/dm_encrypted
Type MASTER passphrase:
Encryption Type:  dmCrypt (LUKS)
Cipher:        aes
Key Size:  256
Random Interface: /dev/urandom
Filesystem:    ext4
Verifying MASTER key against Navigator Key Trustee (wait a moment) ... OK
Generation Encryption Keys with /dev/urandom       ... OK
Preparing dmCrypt device (--use-urandom)               ... OK
Creating ext4 filesystem                               ... OK
Registering Encryption Keys (wait a moment)        ... OK
Mounting /dev/sda1                                    ... OK

Block-Level Encryption with a Loop Device

When encrypting a device with block encryption, the device does not have to be a physical device; it can be a storage space treated as a device instead. See Migrating eCryptfs-Encrypted Data to dm-crypt for instructions on migrating data encrypted using eCryptfs to use dm-crypt with a loop device.

To configure a loop device, use the dd command to create a storage space:
$ sudo dd if=/dev/zero of=/dmcrypt/storage bs=1G count=500
$ sudo losetup -f
/dev/loop0 ## This output displays available loop devices.
$ sudo losetup /dev/loop0 /dmcrypt/storage

The dd command used above creates a 500 GB file. The losetup -f command returns an unused loop device to be used as a device. The command losetup /dev/loop0 /dmcrypt/storage associates the 500 GB file with the loop device. Add the losetup /dev/loop0 /dmcrypt/storage command to /etc/rc.local to ensure that the loop device is available at boot.

The device /dev/loop0 is now ready to be used by navencrypt-prepare. For example:
$ sudo /usr/sbin/navencrypt-prepare /dev/loop0 /dmcrypt/mountpoint
The following example shows the successful output from the command:
Type MASTER passphrase:
Encryption Type:  dmCrypt (LUKS)
Cipher:        aes
Key Size:  256
Random Interface: /dev/urandom
Filesystem:    ext4
Verifying MASTER key against Navigator Key Trustee (wait a moment) ... OK
Generation Encryption Keys with /dev/urandom       ... OK
Preparing dmCrypt device (--use-urandom)               ... OK
Creating ext4 filesystem                               ... OK
Registering Encryption Keys (wait a moment)        ... OK
Mounting /dev/loop0                                    ... OK

Filesystem-Level Encryption with eCryptfs

When choosing file-level encryption during the interactive console, you must specify two parameters:
  1. The first parameter is the storage directory you want to store the encrypted file system in. Because this directory will hold all of the encrypted data, it must be as large as or larger than the target data.
  2. The second parameter is the mount point for the encrypted file system. This is the location where you can access the encrypted data stored in the location identified by the first parameter.

While the data is technically stored at the location identified by the first parameter, you can only access the data from the mount point identified by the second parameter. Consider this when choosing where to mount your data.

After choosing these two parameters and following the interactive console (discussed further in Preparing for Encryption), you are ready to encrypt your data.

Undo Operation

Navigator Encrypt 3.5 and higher supports a new command option, navencrypt-prepare --undo. This command reverses the operations from the regular navencrypt-prepare command by removing the device from Navigator Encrypt control and removing registered encryption keys.

The only parameter of the undo operation is the storage device used to store the encrypted file system (not the mount point). Here is an example showing navencrypt-prepare and navencrypt-prepare --undo operations:
$ sudo navencrypt-prepare /path/to/storage /path/to/mountpoint
Type MASTER passphrase:

Encryption Type:  eCryptfs
Cipher:           aes
Key Size:         256
Random Interface: OpenSSL
Filesystem:       ext4
Options:

Verifying MASTER key against Navigator Key Trustee (wait a moment)     ... OK
Generation Encryption Keys with OpenSSL                   ... OK
Registering Encryption Keys (wait a moment)               ... OK
Mounting /path/to/mountpoint                              ... OK
$ sudo navencrypt-prepare --undo /path/to/storage
Type MASTER passphrase:
Verifying MASTER key against Navigator Key Trustee (wait a moment)     ... OK
Umounting /path/to/mountpoint                             ... OK

Pass-through Mount Options for navencrypt-prepare

Navigator Encrypt 3.5 and higher provides the ability to specify options to pass to the mount command that is executed during /etc/init.d/navencrypt-mount start. These options are specified with the -o option when preparing a mountpoint with the navencrypt-prepare command.

The following shows an example navencrypt-prepare command output when passing mount options with the -o option:
$ sudo navencrypt-prepare -o discard,resize /mnt/t2 /mnt/t2
Type MASTER passphrase:

Encryption Type:  eCryptfs
Cipher:           aes
Key Size:         256
Random Interface: OpenSSL
Filesystem:       ext4
Options:          discard,resize

Verifying MASTER key against Navigator Key Trustee(wait a moment)     ... OK
Generation Encryption Keys with OpenSSL                               ... OK
Registering Encryption Keys (wait a moment)                           ... OK
Mounting /mnt/t2                                                      ... OK
You can verify the results by viewing the /etc/navencrypt/ztab file:
$ cat /etc/navencrypt/ztab
/mnt/t2 /mnt/t2 ecryptfs key=keytrustee,cipher=aes,keysize=256,discard,resize

Options can be added or removed to existing mount points prepared with versions of Navigator Encrypt prior to 3.5 by editing the /etc/navencrypt/ztab file and adding the comma-separated options to the end of each line as seen in the previous example above.

To see the mounted filesystems and options, run mount:
$ mount
/mnt/t2 on /mnt/t2 type ecryptfs (rw,ecryptfs_sig=6de3db1e87077adb,ecryptfs_unlink_sigs,noauto,\
ecryptfs_cipher=aes,ecryptfs_key_bytes=32,discard,resize)

Pass-through mount options work for both dm-crypt and eCryptfs. For a list of available mount options, see the man pages for cryptsetup and ecryptfs respectively.