Encrypting and Decrypting Data Using Cloudera Navigator Encrypt
Once the encrypted file system is created and initialized, it is ready to hold data. All encryption and decryption functionality is performed with a single command: navencrypt-move.
$ sudo navencrypt-move encrypt @<category> <directory_to_encrypt> <encrypted_mount_point>
Main command interface for all actions that require moving data either to or from the encrypted file system. For more information see the navencrypt-move man page (man navencrypt-move).
Identifies the direction to move data. In this case, we are moving data into the encrypted file system (encrypting it). The decrypt parameter is a valid option here as well, which produces the opposite effect.
|@<category>||This is the access category that will be applied to the data being encrypted. When moving data into the encrypted filesystem, you will be protecting it with process-based access controls that will restrict access to only the processes that you allow. The naming convention of the category is entirely up to you (the @ is required), but it is typically a good idea to keep it simple and memorable. Depending on what data you are encrypting, it is usually best to pick a name referencing the data encrypted. For example, a @mysql category would be fitting for a MySQL deployment.|
|<directory to encrypt>||This is the data that you want to encrypt. This can be a single file or an entire directory. The Navigator Encrypt process starts after the system boots, so you should not encrypt system-required files and directories (for example, the root partition, the entire /var directory, etc.). Some examples of recommended data directories to encrypt are /var/lib/mysql/data, /db/data, etc.|
|<encrypted mount-point>||The last parameter is where you want the data to be stored. This is the path to the mount-point specified during the navencrypt-prepare command. In the example from the previous section above, this is /var/lib/navencrypt/mount.|
When a file is encrypted, a symbolic link (symlink) is created which points to a mount-point @<category> directory. The navencrypt-move command actually moves all specified data to the encrypted filesystem and replaces it with a symlink to the mount-point for that encrypted filesystem.
$ sudo /usr/sbin/navencrypt-move encrypt @mycategory /path/directory_to_encrypt/ /path/to/mount
$ ls -l <directory_to_encrypt> $ du -h <encrypted_storage_directory>
The output demonstrates the new filesystem layout. Everything that was once in the target directory is now securely stored inside of the encrypted filesystem, fully encrypted and protected from outside access.
$ sudo /usr/sbin/navencrypt-move decrypt /path/file_to_decrypt
$ sudo /usr/sbin/navencrypt-move decrypt /path/directory_to_decrypt