Important: If you are using SSH software other than OpenSSH, the initialization fails. To prevent this, pre-create the SSH key before continuing:

$ sudo -u keytrustee ssh-keygen -t rsa -f /var/lib/keytrustee/.ssh/id_rsa

For new installations, use the Set up HDFS Data At Rest Encryption wizard and follow the instructions in Enabling HDFS Encryption Using the Wizard. When prompted, deselect the Enable High Availability option to proceed in standalone mode.

To set up Key Trustee Server manually, add the Key Trustee Server service to your cluster, following the instructions in Adding a Service. When customizing role assignments, assign only the Active Key Trustee Server and Active Database roles.

  Important: You must assign the Key Trustee Server and Database roles to the same host. Key Trustee Server does not support running the database on a different host.

For parcel-based Key Trustee Server releases 5.8 and higher, Cloudera Manager automatically backs up Key Trustee Server (using the ktbackup.sh script) after adding the Key Trustee Server service. It also schedules automatic backups using cron. For package-based installations, you must manually back up Key Trustee Server and configure a cron job.

Cloudera Manager configures cron to run the backup script hourly. The latest 10 backups are retained in /var/lib/keytrustee in cleartext. For information about using the backup script and configuring the cron job (including how to encrypt backups), see Backing Up Key Trustee Server and Key Trustee KMS Using the ktbackup.sh Script.

Depending on your cluster configuration and the security practices in your organization, you might need to restrict the allowed versions of TLS/SSL used by Key Trustee Server. Older TLS/SSL versions might have vulnerabilities or lack certain features.

Specify one of the following values using the Minimum TLS Support configuration setting:

• tlsv1: Allow any TLS version of 1.0 or higher. This setting is the default when TLS/SSL is enabled.

• tlsv1.1: Allow any TLS version of 1.1 or higher.

• tlsv1.2: Allow any TLS version of 1.2 or higher.

  Note: The pyOpenSSL version on the Key Trustee Server cluster should be updated to 16.2 before changing the TLS version to 1.2. If pyOpenSSL is not updated, then the following error appears when the Key Trustee Server service attempts to restart:

keytrustee-server: Error in setting the protocol to the value TLSv1.2.
This usually means there is no support for the entered value.
Python Error: 'module' object has no attribute 'OP_NO_TLSv1_1"

AES256:CAMELLIA256-SHA

By default, the cipher list is empty, and Key Trustee Server uses the default cipher list for the underlying platform. See the output of man ciphers for the full set of keywords and notation allowed in the argument string.