Key Trustee KMS High Availability

CDH 5.4.0 and higher supports Key Trustee KMS high availability. For new installations, you can use the Set up HDFS Data At Rest Encryption wizard to install and configure Key Trustee KMS high availability. If you have an existing standalone Key Trustee KMS service, use the following procedure to enable Key Trustee KMS high availability:
  1. Back up the Key Trustee KMS private key and configuration directory. See Backing Up and Restoring Key Trustee Server for more information.
  2. If you do not have a ZooKeeper service in your cluster, add one using the instructions in Adding a Service.
  3. Run the Add Role Instances wizard for the Key Trustee KMS service (Key Trustee KMS service > Actions > Add Role Instances).
  4. Click Select hosts and check the box for the host where you want to add the additional Key Management Server Proxy role. See Resource Planning for Data at Rest Encryption for considerations when selecting a host. Click OK and then Continue.
  5. On the Review Changes page of the wizard, confirm the authorization code, organization name, and Key Trustee Server settings, and then click Finish.
  6. Go to Key Trustee KMS service > Configuration and make sure that the ZooKeeper Service dependency is set to the ZooKeeper service for your cluster.
  7. Restart the Key Trustee KMS service (Key Trustee KMS service > Actions > Restart).
  8. Synchronize the Key Trustee KMS private key.
    Cloudera recommends following security best practices and transferring the private key using offline media, such as a removable USB drive. For convenience (for example, in a development or testing environment where maximum security is not required), you can copy the private key over the network by running the following rsync command on the original Key Trustee KMS host:
    rsync -zav /var/lib/kms-keytrustee/keytrustee/.keytrustee root@ktkms02.example.com:/var/lib/kms-keytrustee/keytrustee/.

    Replace ktkms02.example.com with the hostname of the Key Trustee KMS host that you are adding.

  9. Restart the cluster.
  10. Redeploy the client configuration (Home > Cluster-wide > Deploy Client Configuration).
  11. Re-run the steps in Validating Hadoop Key Operations.