Upgrading Cloudera Navigator Encrypt

Setting Up an Internal Repository

You must create an internal repository to install or upgrade the Cloudera Navigator data encryption components. For instructions on creating internal repositories, see the following topics:

Upgrading Navigator Encrypt (RHEL-Compatible)

Before you begin the upgrade process, refer to Product Compatibility Matrix for Cloudera Navigator Encrypt and ensure that you have the minimum requisite operating system version(s) installed.

Install the Cloudera Repository
Add to the internal repository you created when you installed Navigator Encrypt. Point to the URL of the Navigator Encrypt update.

Stop Navigator Encrypt

Stop the Navigator Encrypt service:

sudo systemctl stop navencrypt-mount
sudo systemctl stop navencrypt-manager

Upgrade Navigator Encrypt
Upgrade the Navigator Encrypt client using yum:
```
sudo yum update navencrypt
```

Start Navigator Encrypt

Start the Navigator Encrypt service:

sudo systemctl start navencrypt-manager
sudo systemctl start navencrypt-mount

If you are using an RSA master key file, change the master key to use OAEP padding:

# navencrypt key --change --rsa-oaep
...
>> Choose NEW MASTER key type:
 1) Passphrase (single)
 2) Passphrase (dual)
 3) RSA private key
Select: 3
Type MASTER RSA key file:
Type MASTER RSA key passphrase:

To check the type of padding currently in use:

# navencrypt key --get-rsa-padding
Type your Master key
Type MASTER RSA key file:
Type MASTER RSA key passphrase:

Verifying Master Key against keytrustee (wait a moment)...
RSA_PKCS1_OAEP_PADDING

Upgrading Navigator Encrypt (SLES)

Install the Cloudera Repository
Add to the internal repository you created when you installed Navigator Encrypt. Point to the URL of the Navigator Encrypt update.

Stop Navigator Encrypt

Stop the Navigator Encrypt service:

sudo systemctl stop navencrypt-mount
sudo systemctl stop navencrypt-manager

Upgrade the Kernel Module Package (KMP)
```
sudo zypper update cloudera-navencryptfs-kmp-<kernel_flavor>
```
Replace kernel_flavor with the kernel flavor for your system. Navigator Encrypt supports the default, xen, and ec2 kernel flavors.
Upgrade the Navigator Encrypt Client
Upgrade Navigator Encrypt:
```
sudo zypper update navencrypt
```

Enable Unsupported Modules

Edit /etc/modprobe.d/unsupported-modules and set allow_unsupported_modules to 1. For example:

# Every kernel module has a flag 'supported'. If this flag is not set loading
# this module will taint your kernel. You will not get much help with a kernel
# problem if your kernel is marked as tainted. In this case you firstly have
# to avoid loading of unsupported modules.
#
# Setting allow_unsupported_modules 1 enables loading of unsupported modules
# by modprobe, setting allow_unsupported_modules 0 disables it. This can
# be overridden using the --allow-unsupported-modules command line switch.
allow_unsupported_modules 1

Start Navigator Encrypt

Start the Navigator Encrypt service:

sudo systemctl start navencrypt-manager
sudo systemctl start navencrypt-mount

If you are using an RSA master key file, then you should change the master key to use OAEP padding:

# navencrypt key --change --rsa-oaep
...
>> Choose NEW MASTER key type:
 1) Passphrase (single)
 2) Passphrase (dual)
 3) RSA private key
Select: 3
Type MASTER RSA key file:
Type MASTER RSA key passphrase:

To check the type of padding currently in use:

# navencrypt key --get-rsa-padding
Type your Master key
Type MASTER RSA key file:
Type MASTER RSA key passphrase:

Verifying Master Key against keytrustee (wait a moment)...
RSA_PKCS1_OAEP_PADDING

Upgrading Navigator Encrypt (Debian or Ubuntu)

Install the Cloudera Repository
Add to the internal repository you created when you installed Navigator Encrypt. Point to the URL of the Navigator Encrypt update.
Stop Navigator Encrypt
Stop the Navigator Encrypt service:
```
sudo stop navencrypt-mount
sudo stop navencrypt-manager
```
Upgrade the Navigator Encrypt Client
Upgrade Navigator Encrypt:
```
sudo apt-get install navencrypt
```

Start Navigator Encrypt

Start the Navigator Encrypt service:

sudo systemctl start navencrypt-manager
sudo systemctl start navencrypt-mount

If you are using an RSA master key file, then you should change the master key to use OAEP padding:

# navencrypt key --change --rsa-oaep
...
>> Choose NEW MASTER key type:
 1) Passphrase (single)
 2) Passphrase (dual)
 3) RSA private key
Select: 3
Type MASTER RSA key file:
Type MASTER RSA key passphrase:

To check the type of padding currently in use:

# navencrypt key --get-rsa-padding
Type your Master key
Type MASTER RSA key file:
Type MASTER RSA key passphrase:

Verifying Master Key against keytrustee (wait a moment)...
RSA_PKCS1_OAEP_PADDING

Best practices for upgrading Navigator Encrypt hosts

Following are some best practices for upgrading operating systems (OS) and kernels on hosts that have Navigator Encrypt installed:

Ensure that the version you are upgrading to is supported by Navigator Encrypt. See the product compatibility matrix for Product Compatibility Matrix for Navigator Encrypt for more information.
Always test upgrades in a development or testing environment before upgrading production hosts.
If possible, upgrade the entire operating system instead of only upgrading the kernel.
If you need to upgrade the kernel only, ensure that your OS version supports the kernel version to which you are upgrading.
Always back up the /etc/navencrypt directory before upgrading. If you have problems accessing encrypted data after upgrading the OS or kernel, restore /etc/navencrypt from your backup and try again.