Cloudera Navigator Data Encryption Overview

Cloudera Navigator includes a turnkey encryption and key management solution for data at rest, whether data is stored in HDFS or on the local Linux filesystem. Cloudera Navigator encryption comprises the following components:
  • Cloudera Navigator Key Trustee Server

    Key Trustee Server is an enterprise-grade virtual safe-deposit box that stores and manages cryptographic keys. With Key Trustee Server, encryption keys are separated from the encrypted data, ensuring that sensitive data is protected in the event that unauthorized users gain access to the storage media.

  • Cloudera Navigator Key HSM

    Key HSM is a service that allows Key Trustee Server to integrate with a hardware security module (HSM). Key HSM enables Key Trustee Server to use an HSM as the root of trust for cryptographic keys, taking advantage of Key Trustee Server’s policy-based key and security asset management capabilities while satisfying existing internal security requirements regarding treatment of cryptographic materials.

  • Cloudera Navigator Encrypt

    Navigator Encrypt is a client-side service that transparently encrypts data at rest without requiring changes to your applications and with minimal performance lag in the encryption or decryption process. Advanced key management with Key Trustee Server and process-based access controls in Navigator Encrypt enable organizations to meet compliance regulations and ensure unauthorized parties or malicious actors never gain access to encrypted data.

  • Key Trustee KMS

    For HDFS Data At Rest Encryption, Cloudera provides Key Trustee KMS, a customized Key Management Server that uses Key Trustee Server for robust and scalable encryption key storage and management instead of the file-based Java KeyStore used by the default Hadoop KMS.

Cloudera Navigator encryption provides:
  • High-performance transparent data encryption for files, databases, and applications running on Linux
  • Separation of cryptographic keys from encrypted data
  • Centralized management of cryptographic keys
  • Integration with hardware security modules (HSMs) from Thales and SafeNet
  • Support for Intel AES-NI cryptographic accelerator for enhanced performance in the encryption and decryption process
  • Process-Based Access Controls
Cloudera Navigator encryption can be deployed to protect different assets, including (but not limited to):
  • Databases
  • Log files
  • Temporary files
  • Spill files
  • HDFS data
For planning and deployment purposes, this can be simplified to two types of data that Cloudera Navigator encryption can secure:
  1. HDFS data
  2. Local filesystem data
The following table outlines some common use cases and identifies the services required.
Encrypting Data at Rest
Data Type Data Location Key Management Additional Services Required
HDFS HDFS Key Trustee Server Key Trustee KMS
Metadata databases, including:
  • Hive Metastore
  • Cloudera Manager
  • Cloudera Navigator Data Management
  • Sentry
Local filesystem Key Trustee Server Navigator Encrypt
Temp/spill files for CDH components with native encryption:
  • Impala
  • YARN
  • MapReduce
  • Flume
  • HBase
  • Accumulo
Local filesystem N/A (temporary keys are stored in memory only) None (enable native temp/spill encryption for each component)
Temp/spill files for CDH components without native encryption:
  • Spark
  • Kafka
  • Sqoop2
  • HiveServer2
Local filesystem Key Trustee Server Navigator Encrypt
Log files Local filesystem Key Trustee Server Navigator Encrypt

Log Redaction

For instructions on using Navigator Encrypt to secure local filesystem data, see Cloudera Navigator Encrypt.

Cloudera Navigator Encryption Architecture

The following diagram illustrates how the Cloudera Navigator encryption components interact with each other:

Key Trustee clients include Navigator Encrypt and Key Trustee KMS. Encryption keys are created by the client and stored in Key Trustee Server.

Cloudera Navigator Encryption Integration with an EDH

The following diagram illustrates how the Cloudera Navigator encryption components integrate with an Enterprise Data Hub (EDH):

For more details on the individual components of Cloudera Navigator encryption, continue reading: