Cloudera Navigator Key Trustee Server is an enterprise-grade cryptographic key storage and management system used by Cloudera Navigator Encrypt that separates encryption keys from the data, thus ensuring data is protected even if unauthorized users gain access to the storage media. It enables your cluster to meet the strictest data security regulations. Furthermore, Navigator Key Trustee Server can be integrated with a hardware security module (HSM) to provide the highest level of security for your keys. See Cloudera Navigator Key HSM for details.

In addition, Navigator Key Trustee Server can be used by other cluster components. For example, HDFS Transparent Encryption can use Navigator Key Trustee Server (KTS) as its backing key store (for Hadoop KMS, instead of the default Java KeyStore) for better security and scalability. See Migrating Keys from a Java KeyStore to Cloudera Navigator Key Trustee Server for more information about using Navigator KTS with HDFS encryption.

  Important: Cloudera recommends that each cluster use its own KTS instance. Although sharing a single KTS across clusters is technically possible, it is neither approved nor supported for security reasons—specifically, the increased security risks associated with single point of failure for encryption keys used by multiple clusters.

After Installing Cloudera Navigator Key Trustee Server, follow the steps below to manage the system:

• Backing Up and Restoring Key Trustee Server and Clients
• Initializing Standalone Key Trustee Server
• Configuring a Mail Transfer Agent for Key Trustee Server
• Verifying Cloudera Navigator Key Trustee Server Operations
• Managing Key Trustee Server Organizations
• Managing Key Trustee Server Certificates