Data at Rest Encryption Requirements
Encryption comprises several components, each with its own requirements.
Data at rest encryption protection can be applied at a number of levels within Hadoop:
- OS filesystem-level
- Network-level
- HDFS-level (protects both data at rest and in transit)
For more information on the components, concepts, and architecture for encrypting data at rest, see Encrypting Data at Rest.
Product Compatibility Matrix
See Product Compatibility Matrix for Cloudera Navigator Encryption for the individual compatibility matrices for each Cloudera Navigator encryption component.
Entropy Requirements
Cryptographic operations require entropy to ensure randomness.
$ cat /proc/sys/kernel/random/entropy_avail
$ sudo yum install rng-tools $ sudo echo 'EXTRAOPTIONS="-r /dev/urandom"' >> /etc/sysconfig/rngd $ sudo service rngd start $ sudo chkconfig rngd on
$ sudo yum install rng-tools $ cp /usr/lib/systemd/system/rngd.service /etc/systemd/system/ $ sed -i -e 's/ExecStart=\/sbin\/rngd -f/ExecStart=\/sbin\/rngd -f -r \/dev\/urandom/' /etc/systemd/system/rngd.service $ systemctl daemon-reload $ systemctl start rngd $ systemctl enable rngd
Make sure that the hosts running Key Trustee Server, Key Trustee KMS, and Navigator Encrypt have sufficient entropy to perform cryptographic operations.
Key Trustee Server Requirements
Recommended Hardware and Supported Distributions
Key Trustee Server must be installed on a dedicated server or virtual machine (VM) that is not used for any other purpose. The backing PostgreSQL database must be installed on the same host as the Key Trustee Server, and must not be shared with any other services. For high availability, the active and passive Key Trustee Servers must not share physical resources. See Resource Planning for Data at Rest Encryption for more information.
The recommended minimum hardware specifications are as follows:
- Processor: 1 GHz 64-bit quad core
- Memory: 8 GB RAM
- Storage: 20 GB on moderate- to high-performance disk drives
Key Trustee Server supports the following Linux distributions:
- RHEL 6.4
- RHEL and CentOS: 6.5, 6.6, 6.7, 6.8, 7.1, 7.2, 7.3
- Oracle Enterprise Linux: 6.7, 6.8, 7.1, 7.2, 7.3
Cloudera Manager Requirements
Installing and managing Key Trustee Server using Cloudera Manager requires Cloudera Manager 5.4.0 and higher. Key Trustee Server does not require Cloudera Navigator Audit Server or Metadata Server.
Network Requirements
For new Key Trustee Server installations (5.4.0 and higher) and migrated upgrades (see Migrate Apache Web Server to CherryPy for more information), Key Trustee Server requires the following TCP ports to be opened for inbound traffic:
- 11371
Clients connect to this port over HTTPS.
- 11381 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
For upgrades that are not migrated to the CherryPy web server, the pre-upgrade port settings are preserved:
- 80
Clients connect to this port over HTTP to obtain the Key Trustee Server public key.
- 443 (HTTPS)
Clients connect to this port over HTTPS.
- 5432 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
TLS Certificate Requirements
To ensure secure network traffic, Cloudera recommends obtaining Transport Layer Security (TLS) certificates specific to the hostname of your Key Trustee Server. To obtain the certificate, generate a Certificate Signing Request (CSR) for the fully qualified domain name (FQDN) of the Key Trustee Server host. The CSR must be signed by a trusted Certificate Authority (CA). After the certificate has been verified and signed by the CA, the Key Trustee Server TLS configuration requires:
- The CA-signed certificate
- The private key used to generate the original CSR
- The intermediate certificate/chain file (provided by the CA)
Cloudera recommends not using self-signed certificates. If you use self-signed certificates, you must use the --skip-ssl-check parameter when registering Navigator Encrypt with the Key Trustee Server. This skips TLS hostname validation, which safeguards against certain network-level attacks. For more information regarding insecure mode, see Registration Options.
Key Trustee KMS Requirements
Recommended Hardware and Supported Distributions
The recommended minimum hardware specifications are as follows:
- Processor: 2 GHz 64-bit quad core
- Memory: 16 GB RAM
- Storage: 40 GB on moderate- to high-performance disk drives
Key Trustee KMS supports the following Linux distributions:
- RHEL and CentOS: 5.7, 5.10, 6.4, 6.5, 6.6, 6.7, 6.8, 7.1, 7.2, 7.3
- Oracle Enterprise Linux: 5.7, 5.10, 5.11, 6.4, 6.5, 6.6, 6.7, 6.8, 7.1, 7.2, 7.3
- SLES: 11 SP2, 11 SP3, 11 SP4, 12 SP1, 12 SP2
- Debian: 7.1, 7.8, 8.2, 8.4
- Ubuntu: 12.04, 14.04, 16.04
The Key Trustee KMS workload is CPU-intensive. Cloudera recommends using machines with capabilities equivalent to your NameNode hosts, with Intel CPUs that support AES-NI for optimum performance. Also, Cloudera strongly recommends that you enable TLS for both the HDFS and the Key Trustee KMS services to prevent the passage of plain text key material between the KMS and HDFS data nodes.
Key HSM Requirements
The following are prerequisites for installing Navigator Key HSM:
- Supported operating systems:
- RHEL and CentOS: 6.4, 6.5, 6.6, 6.7, 7.1, 7.2
- Oracle Java Runtime Environment (JRE) 7 or higher with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files:
- A supported HSM device:
- SafeNet Luna
- HSM firmware version: 6.2.1
- HSM software version: 5.2.3-1
- SafeNet KeySecure
- HSM firmware version: 6.2.1
- HSM software version: 8.0.1
- Thales nSolo, nConnect
- HSM firmware version: 11.4.0
- Client software version: 2.28.9cam136
- SafeNet Luna
- Key Trustee Server 3.8 or higher
Root access is required to install Navigator Key HSM.
Navigator HSM KMS Requirements
Recommended Hardware and Supported Distributions
The recommended minimum hardware specifications are as follows:
- Processor: 2 GHz 64-bit quad core
- Memory: 16 GB RAM
- Storage: 40 GB on moderate- to high-performance disk drives
Navigator HSM KMS supports the following Linux distributions:
- RHEL and CentOS: 6.8, 7.1, 7.2, 7.3
Supported HSM devices:
- SafeNet Luna
- HSM software version: 6.2.2-5
- HSM firmware version: 6.10.9
- Client: 6.2.2
- Thales nSolo, nConnect
- Server version: 3.67.11cam4
- Firmware: 2.65.2
- Security World Version: 12.30
Navigator Encrypt Requirements
Operating System Requirements
- Linux kernel 2.6.19 or higher (RHEL and CentOS can use 2.6.18-92 or higher)
- RHEL and CentOS: 5.7, 5.10, 6.4, 6.5, 6.6, 6.7, 7.1, 7.2, 7.3
- Oracle Enterprise Linux (Red Hat Compatible Kernel): 6.4, 6.5, 6.6, 6.7, 7.1, 7.2
- Oracle Enterprise Linux (Unbreakable Enterprise Kernel 2 or 3): 6.5
- SLES: 11 SP2, 11 SP3, 11 SP4, 12 SP1, 12 SP2
- Debian: 7.1, 7.8
- Ubuntu: 12.04, 14.04, 14.04.3, 16.04
Supported command-line interpreters:
- sh (Bourne)
- bash (Bash)
- dash (Debian)
Network Requirements
For new Navigator Key Trustee Server (5.4.0 and higher) installations, Navigator Encrypt initiates TCP traffic over port 11371 (HTTPS) to the Key Trustee Server.
For upgrades and Key Trustee Server versions lower than 5.4.0, Navigator Encrypt initiates TCP traffic over ports 80 (HTTP) and 443 (HTTPS) to the Navigator Key Trustee Server.
Internet Access
You must have an active connection to the Internet to download many package dependencies, unless you have internal repositories or mirrors containing the dependent packages.
Maintenance Window
Data is not accessible during the encryption process. Plan for system downtime during installation and configuration.
Administrative Access
To enforce a high level of security, all Navigator Encrypt commands require administrative (root) access (including installation and configuration). If you do not have administrative privileges on your server, contact your system administrator before proceeding.
Package Dependencies
Navigator Encrypt requires these packages, which are resolved by your distribution package manager during installation:
- dkms
- keyutils
- ecryptfs-utils
- libkeytrustee
- navencrypt-kernel-module
- openssl
- lsof
- gcc
- cryptsetup
These packages may have other dependencies that are also resolved by your package manager. Installation works with gcc, gcc3, and gcc4.