Encrypting and Decrypting Data Using Cloudera Navigator Encrypt

Once the encrypted file system is created and initialized, it is ready to hold data. All encryption and decryption functionality is performed with a single command: navencrypt-move.

Encrypting Data

Here is an example command to encrypt data, with an explanation for each option:
$ sudo navencrypt-move encrypt @<category> <directory_to_encrypt> <encrypted_mount_point>
navencrypt-move Command Options
Command Option Explanation

Main command interface for all actions that require moving data either to or from the encrypted file system. For more information see the navencrypt-move man page (man navencrypt-move).


Identifies the direction to move data. In this case, we are moving data into the encrypted file system (encrypting it). The decrypt parameter is a valid option here as well, which produces the opposite effect.

@<category> This is the access category that will be applied to the data being encrypted. When moving data into the encrypted filesystem, you will be protecting it with process-based access controls that will restrict access to only the processes that you allow. The naming convention of the category is entirely up to you (the @ is required), but it is typically a good idea to keep it simple and memorable. Depending on what data you are encrypting, it is usually best to pick a name referencing the data encrypted. For example, a @mysql category would be fitting for a MySQL deployment.
<directory to encrypt> This is the data that you want to encrypt. This can be a single file or an entire directory. The Navigator Encrypt process starts after the system boots, so you should not encrypt system-required files and directories (for example, the root partition, the entire /var directory, etc.). Some examples of recommended data directories to encrypt are /var/lib/mysql/data, /db/data, etc.
<encrypted mount-point> The last parameter is where you want the data to be stored. This is the path to the mount-point specified during the navencrypt-prepare command. In the example from the previous section above, this is /var/lib/navencrypt/mount.

When a file is encrypted, a symbolic link (symlink) is created which points to a mount-point @<category> directory. The navencrypt-move command actually moves all specified data to the encrypted filesystem and replaces it with a symlink to the mount-point for that encrypted filesystem.

Encrypting a directory is similar to encrypting a file. The following command encrypts a directory:
$ sudo /usr/sbin/navencrypt-move encrypt @mycategory /path/directory_to_encrypt/ /path/to/mount
In this command, a directory is specified instead of a filename, and a symlink is created for that particular directory. To see the effects of this command, run:
$ ls -l <directory_to_encrypt>
$ du -h <encrypted_storage_directory>

The output demonstrates the new filesystem layout. Everything that was once in the target directory is now securely stored inside of the encrypted filesystem, fully encrypted and protected from outside access.

Decrypting Data

The decryption command works in a similar way to the encrypt command. The following example demonstrates how to decrypt a file using the navencrypt-move command:
$ sudo /usr/sbin/navencrypt-move decrypt /path/file_to_decrypt
As with encryption, you can specify a directory instead of a file:
$ sudo /usr/sbin/navencrypt-move decrypt /path/directory_to_decrypt