Maintaining Cloudera Navigator Encrypt
Continue reading:
Manually Backing Up Navigator Encrypt
It is recommended that you back up Navigator Encrypt configuration directory after installation, and again after any configuration updates.
- To manually back up the Navigator Encrypt configuration directory (/etc/navencrypt):
$ zip -r --encrypt nav-encrypt-conf.zip /etc/navencrypt
The --encrypt option prompts you to create a password used to encrypt the zip file. This password is also required to decrypt the file. Ensure that you protect the password by storing it in a secure location.
- Move the backup file (nav-encrypt-conf.zip) to a secure location.
Access Modes
- Enforcing is the default mode in which Navigator Encrypt validates access from all processes against the ACL. To protect your data, enforcing mode must be enabled.
- Permissive mode causes action="denied" messages to be logged in dmesg. It does not prevent access to the encrypted data. This mode is a dry-run feature to run and build ACL rules.
- Admin mode, as well as permissive mode, does not prevent access to the encrypted data. It allows any process to access the information because the ACL rules are not validated against the process. Admin mode does not cause action="denied" messages to be logged in dmesg.
$ sudo /usr/sbin/navencrypt status -d
$ sudo /usr/sbin/navencrypt set --mode={enforcing|permissive|admin}
You cannot change the Navigator Encrypt access mode unless the Navigator Encrypt module is running. To view the status of the Navigator Encrypt module, run navencrypt status --module.
$ sudo /etc/init.d/navencrypt-mount status
$ sudo systemctl status navencrypt-mount
Changing and Verifying the Master Key
You can perform two operations with the navencrypt key command: change and verify.
$ sudo /usr/sbin/navencrypt key --verify $ sudo /usr/sbin/navencrypt key --verify --only-module $ sudo /usr/sbin/navencrypt key --verify --only-keytrustee
$ sudo /usr/sbin/navencrypt key –-change
You can use the --trustees, --votes, and --recoverable options for the new key as described in Registration Options.
Updating ACL Fingerprints
All rules reference a process fingerprint (a SHA256 digest) that is used to authenticate the process into the file system. If the filesystem detects a fingerprint that is different from the one stored in the ACL, the Linux process is denied access and treated as an untrusted process.
Occasionally this process fingerprint must be updated, such as when software is upgraded. When the fingerprint must be updated, the Navigator Encrypt administrator re-authenticates the process on the ACL by executing the command navencrypt acl --update.
$ sudo /usr/sbin/navencrypt acl --list Type MASTER passphrase: # - Type Category Path Profile Process 1 !! ALLOW @mysql * /usr/sbin/mysqld 2 ALLOW @log * /usr/sbin/mysqld 3 !! ALLOW @apache * /usr/lib/apache2/mpm-prefork/
In the example above, the double exclamation (!!) characters indicate that a process fingerprint has changed and must be updated. Similarly, double E (EE) characters indicate a process read error. This error can be caused by a process that does not exist or that has permission issues.
Managing Mount Points
- start
- stop
- status
- restart
For RHEL 7, use systemctl [start|stop|status|restart] navencrypt-mount.
When executing the stop operation, the encrypted mount point is unmounted, and your data becomes inaccessible.
$ sudo /etc/init.d/navencrypt-mount status
$ sudo /etc/init.d/navencrypt-mount stop
$ sudo /etc/init.d/navencrypt-mount start
$ sudo /usr/sbin/mount.navencrypt /path/to_encrypted_data/ /path/to/mountpoint
This command can be executed only if the navencrypt-prepare command was previously executed.
Allowing Access to a Single Operation
$ ls /mnt/db_encrypted/mysql/ ls: cannot open directory /mnt/db_encrypted/mysql/: Permission denied
$ sudo /usr/sbin/navencrypt exec "ls -l /mnt/db_encrypted/mysql/"
Navigator Encrypt Kernel Module Setup
If the kernel headers were not installed on your host, or if the wrong version of the kernel headers were installed, the Navigator Encrypt module was not built at installation time. To avoid reinstalling the system, install the correct headers and execute the navencrypt-module-setup command. This attempts to build the module and install it.
This method is also an efficient way to install any new Navigator Encrypt module feature or fix without otherwise modifying your current Navigator Encrypt environment.
Navigator Encrypt Configuration Directory Structure
$ tree /etc/navencrypt/ /etc/navencrypt/ ├── control -> /etc/navencrypt/jSpi9SM65xUIIhrau1Nn8ZXmQhrrQ9e363EUz8HKiRs ├── jSpi9SM65xUIIhrau1Nn8ZXmQhrrQ9e363EUz8HKiRs ├── rules ├── ztab locust └── keytrustee ├── clientname ├── deposits │ ├── dev.loop0 │ ├── media.31E5-79B9locustlocust[system ~]# . /etc/*release[system ~]# . /etc/*release │ ├── mnt.a │ ├── mnt.encrypted │ └── mnt.tomount ├── pubring.gpg ├── pubring.gpg~ ├── random_seed ├── secring.gpg ├── trustdb.gpg └── ztrustee.conf
- control
File that saves information about the mount points and corresponding Navigator Key Trustee keys.
- rules
File that contains the ACL rules. It is encrypted with the user-provided master key.
- ztab
File that contains information about all the mount points and their encryption type.
- keytrustee
Directory where Navigator Key Trustee GPG keys are stored. These are generated during navencrypt register operations.
- keytrustee/deposits
Directory where the Navigator Encrypt keys are saved. These are encrypted with the user-provided master key.
Every mount point has an internal randomly-generated encryption passphrase.
Upgrading Navigator Encrypt Hosts
See Best Practices for Upgrading Navigator Encrypt Hosts for considerations when upgrading operating systems (OS) and kernels on hosts that have Navigator Encrypt installed.