Altus Director Database Encryption
Database encryption is configured by setting the two server configuration properties described in the following table.
|lp.encryption.twoWayCipher||Cipher used to encrypt data. Possible values:
|lp.encryption.twoWayCipherConfig||The configuration string for the chosen cipher.|
The format of the configuration string varies with the choice of cipher, as described in the table below:
|Cipher||Configuration String Format|
|desede||24-byte symmetric encryption key, encoded as a string using Base64|
|transitional||combination of old cipher and new cipher (see below)|
Starting with Encryption
Altus Director’s default configuration for database encryption encrypts new data stored in the Altus Director database. This default configuration uses triple DES encryption, with a default key, to protect data. In a new installation of Altus Director, all data needing protection will be encrypted under the default encryption scheme. In an installation that was previously not configured for encryption, including older releases of Altus Director, new data needing protection will be encrypted, but old data needing protection will remain unencrypted until it is updated in the database over time.
If this level of protection is sufficient for your needs, it is not necessary to make any changes to Altus Director configuration. While Altus Director will function correctly, keep in mind that there are drawbacks: some data needing protection in the database might remain unencrypted indefinitely, and data that is encrypted is effectively only obscured, since the default key is not secret.
Establishing More Secure Encryption for New Installations
For a new installation of Altus Director, Cloudera recommends that you generate and configure your own secret encryption key, different from the default key. Create a new key by generating 24 bytes of random data from a cryptographically secure random generator, and encode the bytes using the Base64 encoding algorithm.
python -c 'import base64, os; print base64.b64encode(os.urandom(24))'Set the Altus Director configuration property lp.encryption.twoWayCipherConfig to the Base64-encoded key string before starting Altus Director for the first time. All data needing protection in the database will be encrypted with this key. It is good practice to change the encryption key periodically to protect against unintentional disclosure. See Changing Encryption below for more.
Establishing More Secure Encryption for Existing Installations
For an existing installation of Altus Director that uses either no encryption at all (including older releases of Altus Director) or uses only the default encryption, Cloudera recommends that you use a transitional cipher to change encryption to a more secure state. Not only will changing encryption introduce the use of a non-default and secret key, but it will also forcibly encrypt all data needing protection in the database, whether it was already encrypted or not.
- If the default cipher and key was in use previously, then use "desede" and the default key for the old cipher configuration.
- If no encryption was in place previously, including older releases of Altus Director which did not support database encryption, then use "passthrough" (with no configuration string) for the old cipher configuration.
The new cipher should be triple DES ("desede") with a secret key that you generate. See Establishing More Secure Encryption for New Installations above for details on how to generate a good key.
After establishing more secure encryption, it is good practice to change the encryption key periodically to protect against unintentional disclosure. Use the transitional cipher again to change encryption to use a new key.
If a transitional cipher is configured, Altus Director encrypts all data that needs protection, changing from an old encryption scheme to a new encryption scheme. A transitional cipher can change the encryption in effect, or introduce it when it has not been used before, including under older Altus Director releases. It also ensures that all data needing protection becomes encrypted.
- Stop the server.
- Configure lp.encryption.twoWayCipher with the value transitional.
- Configure lp.encryption.twoWayCipherConfig with a configuration string describing both the old cipher and the new cipher.
- Start the server.
A transitional cipher cannot be used as the old or new cipher in another transitional cipher.
When the server restarts, it detects that a transitional cipher is configured and updates all relevant data, unencrypted and encrypted, to the new cipher. After this process is complete, the server continues startup as usual. Configuring a transitional cipher ensures that all data needing protection in the database is encrypted.
Wait for the Server to Complete Ongoing Work
Do not try to change encryption while the server is performer ongoing work. If any work is waiting to be resumed by the server on startup (for example, bootstrapping a new cluster), then the server will refuse to change encryption and will stop. If this happens, you must configure the server for its old cipher, start it, and wait for that work to resume and be completed.
Changing from a Transitional Cipher to a Normal Cipher
After encryption has been changed using a transitional cipher, you can configure the server to use the new cipher normally.
- While configured with a transitional cipher, the server will not restart if work is waiting to be resumed.
- If the server is left configured with a transitional cipher, each time it is restarted the database contents will be re-encrypted using the same key.