Cloudera Navigator Key Trustee Server High Availability
Key Trustee Server high availability applies to read operations only. If either Key Trustee Server fails, the KeyProvider automatically retries fetching keys from the functioning server. New write operations (for example, creating new encryption keys) are not allowed unless both Key Trustee Servers are operational.
If a Key Trustee Server fails, the following operations are impacted:
- HDFS Encryption
- You cannot create new encryption keys for encryption zones.
- You can write to and read from existing encryption zones, but you cannot create new zones.
- Cloudera Navigator Encrypt
- You cannot register new Cloudera Navigator Encrypt clients.
- You can continue reading and writing encrypted data, including creating new mount points, using existing clients.
Cloudera recommends monitoring both Key Trustee Servers. If a Key Trustee Server fails catastrophically, restore it from backup to a new host with the same hostname and IP address as the failed host. See Backing Up and Restoring Key Trustee Server and Clients for more information. Cloudera does not support PostgreSQL promotion to convert a passive Key Trustee Server to an active Key Trustee Server.
Depending on your cluster configuration and the security practices in your organization, you might need to restrict the allowed versions of TLS/SSL used by Key Trustee Server. For details, see Specifying TLS/SSL Minimum Allowed Version and Ciphers.
Configuring Key Trustee Server High Availability Using Cloudera Manager
For new installations, use the Set up HDFS Data At Rest Encryption wizard and follow the instructions in Enabling HDFS Encryption Using the Wizard. When prompted, make sure that the Enable High Availability option is selected.
- Stop the Key Trustee Server service ( ).
- Run the Set Up Key Trustee Server Database command ( ).
- Run the following command on the Active Key Trustee Server:
$ sudo rsync -zcav --exclude .ssl /var/lib/keytrustee/.keytrustee email@example.com:/var/lib/keytrustee/.
Replace keytrustee02.example.com with the hostname of the Passive Key Trustee Server.
- Run the following command on the Passive Key Trustee Server:
$ sudo ktadmin init
- Start the Key Trustee Server service ( ).
- Enable synchronous replication ( ).
- Restart the Key Trustee Server service ( ).
For parcel-based Key Trustee Server releases 5.8 and higher, Cloudera Manager automatically backs up Key Trustee Server (using the ktbackup.sh script) after adding the Key Trustee Server service. It also schedules automatic backups using cron. For package-based installations, you must manually back up Key Trustee Server and configure a cron job.
Cloudera Manager configures cron to run the backup script hourly. The latest 10 backups are retained in /var/lib/keytrustee in cleartext. For information about using the backup script and configuring the cron job (including how to encrypt backups), see Backing Up Key Trustee Server and Key Trustee KMS Using the ktbackup.sh Script.
Recovering a Key Trustee Server
If a Key Trustee Server fails, restore it from backup as soon as possible. If the Key Trustee Server hosts fails completely, make sure that you restore the Key Trustee Server to a new host with the same hostname and IP address as the failed host.
For more information, see Backing Up and Restoring Key Trustee Server and Clients.