Enable Data-At-Rest Encryption for a Cluster.
HPE Ezmeral Data Fabric's data-at-rest encryption allows you to protect the data in the event a
disk is compromised. Using the Installer, you can select the
Enable MapR DARE option during an incremental install
after upgrading. You can also convert a cluster not enabled for encryption at rest
to a cluster enabled for encryption at rest from the command-line during a Manual Rolling Upgrade Description or after an Offline and Manual Upgrade Procedure.
Note: Encryption of data at rest can only be enabled on a secure cluster.
To convert:
-
Perform the following steps on a CLDB node to generate the master key for
encryption of data at rest:
-
Stop Warden on a CLDB node by running the following command:
/bin/systemctl stop mapr-warden
-
Install HPE Ezmeral Data Fabric
packages if this is a rolling
upgrade.
-
Run the
configure.sh command as follows:
/opt/mapr/server/configure.sh -genkeys -nocerts -dare -R
When
you run the
configure.sh command with the
genkeys and
dare options, a MasterKey file is generated and
stored in
/opt/mapr/conf/dare.master.key.
Important: You must create a copy of this file in other
location(s) for backup purposes. Loss of this key will result in
loss of cluster.
-
Start Warden by running the following command:
/bin/systemctl start mapr-warden
-
Copy the data at rest encryption master key file (generated above) to the
/opt/mapr/conf directory on all the other CLDB nodes on the
cluster.
-
Perform the following steps on all the nodes, one node at a time if you are
doing a rolling upgrade, in the cluster:
-
Stop Warden by running the following command:
/bin/systemctl stop mapr-warden
-
Install HPE Ezmeral Data Fabric
packages if this is a rolling
upgrade.
-
Run the
configure.sh command as follows:
/opt/mapr/server/configure.sh -dare -R
-
Start Warden by running the following command:
/bin/systemctl start mapr-warden
-
Enable encryption of data at rest through the
mfs.feature.dare
property, and optionally enable other features, if they are not yet
enabled.
Run maprcli cluster feature enable -name mfs.feature.dare to
enable encryption of data at rest.
-
Specify whether (
1) or not (0) to convert all
existing volumes not enabled for encryption of data at rest to volumes enabled
for encryption of data at rest by setting the value for the
cldb.enforce.old.volumes.dare property using the
config save
command.
By default, all existing volumes are converted to volumes enabled for data at
rest encryption because the default value for
cldb.enforce.old.volumes.dare property is
1. To not convert all existing volumes to volumes enabled
for data at rest encryption, run the following command:
maprcli config save -values '{"cldb.enforce.old.volumes.dare":"0"}'
-
Format the storage pools (SPs) on the nodes for data at rest encryption, one
node and one SP at a time. That is:
-
Decommission the node.
-
Format the SPs on the node.
-
Move the node back to the original topology.
CAUTION:
Wait for few minutes and make sure that the
Under Replicated Alarm is
cleared for all the Volumes on a SP, before formatting the next SP.
-
Enable encryption of data at rest at the cluster-level by running the following
command:
maprcli config save -values '{"mfs.enforce.dare":"1"}'
-
Verify that encryption of data at rest is enabled at the cluster-level by
running the following command:
maprcli config load -json | grep dare
Your output
should look similar to the following:
"cldb.enforce.old.volumes.dare":"1",
"mapr.default.dare.alarm.pending":"0",
"mapr.volume.dare.default":"1",
"mfs.enforce.dare":"1",
"mfs.feature.dare":"1",
Encryption of data at rest is enabled by default for all new volumes on the
cluster. You can disable data at rest encryption for volumes that do not require
encryption of data at rest. See
Enabling or Disabling Data at Rest Encryption at the Volume Level Using the Control System or
Enabling or Disabling Data at Rest Encryption at the Volume Level Using the CLI and REST API.