Data at Rest Encryption Requirements
Encryption comprises several components, each with its own requirements.
Data at rest encryption protection can be applied at a number of levels within Hadoop:
- OS filesystem-level
- Network-level
- HDFS-level (protects both data at rest and in transit)
This section contains the various hardware and software requirements for all encryption products used for Data at Rest Encryption.
For more information on supported operating systems, see Product Compatibility Matrix for Cloudera Navigator Encryption.
For more information on the components, concepts, and architecture for encrypting data at rest, see Encrypting Data at Rest.
Entropy Requirements
Cryptographic operations require entropy to ensure randomness.
cat /proc/sys/kernel/random/entropy_avail
sudo yum install rng-tools sudo echo 'EXTRAOPTIONS="-r /dev/urandom"' >> /etc/sysconfig/rngd sudo service rngd start sudo chkconfig rngd on
sudo yum install rng-tools cp /usr/lib/systemd/system/rngd.service /etc/systemd/system/ sed -i -e 's/ExecStart=\/sbin\/rngd -f/ExecStart=\/sbin\/rngd -f -r \/dev\/urandom/' /etc/systemd/system/rngd.service systemctl daemon-reload systemctl start rngd systemctl enable rngd
Make sure that the hosts running Key Trustee Server, Key Trustee KMS, and Navigator Encrypt have sufficient entropy to perform cryptographic operations.
Cloudera Manager Requirements
Installing and managing Key Trustee Server using Cloudera Manager requires Cloudera Manager 5.4.0 and higher. Key Trustee Server does not require Cloudera Navigator Audit Server or Metadata Server.
Network Requirements
For new Key Trustee Server installations (5.4.0 and higher) and migrated upgrades (see Migrate Apache Web Server to CherryPy for more information), Key Trustee Server requires the following TCP ports to be opened for inbound traffic:
- 11371
Clients connect to this port over HTTPS.
- 11381 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
For upgrades that are not migrated to the CherryPy web server, the pre-upgrade port settings are preserved:
- 80
Clients connect to this port over HTTP to obtain the Key Trustee Server public key.
- 443 (HTTPS)
Clients connect to this port over HTTPS.
- 5432 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
TLS Certificate Requirements
To ensure secure network traffic, Cloudera recommends obtaining Transport Layer Security (TLS) certificates specific to the hostname of your Key Trustee Server. To obtain the certificate, generate a Certificate Signing Request (CSR) for the fully qualified domain name (FQDN) of the Key Trustee Server host. The CSR must be signed by a trusted Certificate Authority (CA). After the certificate has been verified and signed by the CA, the Key Trustee Server TLS configuration requires:
- The CA-signed certificate
- The private key used to generate the original CSR
- The intermediate certificate/chain file (provided by the CA)
Cloudera recommends not using self-signed certificates. If you use self-signed certificates, you must use the --skip-ssl-check parameter when registering Navigator Encrypt with the Key Trustee Server. This skips TLS hostname validation, which safeguards against certain network-level attacks. For more information regarding insecure mode, see Registration Options.