Effective Jan 31, 2021, all Cloudera software requires a subscription.

Access Restricted



Recommended Hardware and Supported Distributions

Cloudera recommends that the Key Trustee Server be installed on a dedicated server or virtual machine (VM) that is not used for any other cluster services. The recommended minimum hardware specifications are as follows:

  • Processor: 1 GHz 64-bit quad core
  • Memory: 8 GB of RAM
  • Storage: 20 GB on moderate to high-performance disk drives

The supported Linux distributions are as follows:

  • RHEL or CentOS x64 6.4, 6.5, 6.6, 6.7, 7.1

Cloudera Manager Requirements

Installing and managing Key Trustee Server using Cloudera Manager requires Cloudera Manager 5.4.0 and higher.

SELinux Requirements

SELinux must be disabled for Key Trustee installation and operation. Modify /etc/selinux/config to set SELINUX=disabled and reboot the system for the change to take effect.

umask Requirements

Key Trustee Server installation requires the default umask of 0022.

Network Requirements

For new Key Trustee Server installations (5.4.0 and higher) and migrated upgrades (see (Recommended) Migrate Apache Web Server to CherryPy for more information), Key Trustee Server requires the following TCP ports to be opened for inbound traffic:

  • 11371

    Clients connect to this port over HTTPS.

  • 11381 (PostgreSQL)

    The passive Key Trustee Server connects to this port for database replication.

For upgrades that are not migrated to the CherryPy web server, the pre-upgrade port settings are preserved:

  • 80

    Clients connect to this port over HTTP to obtain the Key Trustee Server public key.

  • 443 (HTTPS)

    Clients connect to this port over HTTPS.

  • 5432 (PostgreSQL)

    The passive Key Trustee Server connects to this port for database replication.

TLS Certificate Requirements

To ensure secure network traffic, Cloudera recommends obtaining Transport Layer Security (TLS) certificates specific to the hostname of your Key Trustee Server. To obtain the certificate, generate a Certificate Signing Request (CSR) for the fully-qualified domain name (FQDN) of the Key Trustee Server host. The CSR must be signed by a trusted Certificate Authority (CA). After the certificate has been verified and signed by the CA, the Key Trustee Server TLS configuration requires:

  • The CA-Signed Certificate
  • The private key used to generate the original CSR
  • The Intermediate Certificate/Chain File (provided by the CA)

Cloudera recommends against using self-signed certificates. If you proceed with the installation using self-signed certificates, you must use the --skip-ssl-check parameter when registering Navigator Encrypt with the Key Trustee Server. This skips TLS hostname validation, which safeguards against certain network-level attacks. For more information regarding insecure mode, see Registration Options.

Entropy Requirements

Cryptographic operations require entropy to ensure randomness.

You can check the available entropy on a Linux system by running the following command:

$ cat /proc/sys/kernel/random/entropy_avail

If the entropy is low (500 or less), you must increase the entropy in the system. A common way to accomplish this is to install rng-tools and start the rngd service:

$ sudo yum install rng-tools
$ sudo service rngd start

Selected tab: systemrequirements

What's New in Cloudera Navigator Key Trustee Server 5.5.2

  • The ktadmin command has a new --passphrase option to allow migration of existing keys from a Key Trustee Server with a password-protected private key to an HSM. See Integrating Key HSM with Key Trustee Server for more information.

Issues Fixed in Cloudera Navigator Key Trustee Server 5.5.2

Key Trustee Server with password-protected private key cannot communicate with Key HSM

If its private key is password-protected, Key Trustee Server cannot communicate with Key HSM.

Selected tab: whatsnew

Related Downloads

Navigator Encrypt

Connects HDFS Encryption to Navigator Key Trustee Server for production-ready key storage.


Download Now >

Navigator Key Trustee KMS

Connects HDFS Encryption to Navigator Key Trustee Server for production-ready key storage.


Download Now >

Navigator Key HSM

Integrates Navigator Key Trustee to existing Hardware Security Modules (HSMs), providing an (optional) additional layer of security.


Download Now >

Want to Get Involved or Learn More?

Check out our other resources

Cloudera Community

Collaborate with your peers, industry experts, and Clouderans to make the most of your investment in Hadoop.

Cloudera Educational Services

Receive expert Hadoop training through Cloudera Educational Services, the industry's only truly dynamic Hadoop training curriculum that’s updated regularly to reflect the state of the art in big data.