Protection of CLDB and DARE Master Keys
This section describes how the CLDB key and DARE master keys are encrypted and stored during normal operations.
The following table specifies the location of the the cldb.key
and
dare.master.key
for Data Fabric with and without HSM integration.
Data Fabric version | Location of cldb.key/dare.master.key | cldb.key/dare.master.key generation/security mechanism |
---|---|---|
Data Fabric version 6.2.0 or earlier without HSM integration | /opt/mapr/conf/ folder |
The keys are protected by the file level permission with Mode bits. The CLDB
key is encrypted using a weak hard-coded key and stored in Base-64 format in
|
Data Fabric 6.2.0 with external HSM integration | stored as part of the /opt/mapr/conf/tokens folder. |
The keys are encrypted with HSM encryption keys |
Data Fabric version 7.0.0 and later without explicit enterprise HSM integration | /opt/mapr/conf/tokens folder |
The keys are generated as part of the configure.sh -genkeys
option , and are encrypted using cryptographic keys generated from HSM.NOTE By default, Data Fabric simulates file-based HSM locally. |
Data Fabric version 7.0.0 and later explicitly integrated with enterprise HSM | /opt/mapr/conf/tokens folder in encrypted form. |
The cryptographic keys that are used for encryption of the
cldb.key or the dare.master.key lifecycle are
managed by the enterprise HSM. The dare.master.key and
cldb.key files are protected by using KMIP. |
dare.master.key
is generated only when
data-at-rest-encryption (DARE) is enabled at cluster level. In MFS Only node, the
dare.master.key
will be created as a zero KB file. When DARE is
enabled at cluster level by passing -cldb -dare -genkeys
option as part
of the configure.sh
script, it generates
cldb.key/dare.master.key
and encrypts them and store in
/opt/mapr/conf/tokens
folder. It is not required to copy the tokens
folder to nodes that are not running the cldb
service or the
zookeeper
service. On MFS only nodes, a 0 kb
dare.master.key
gets automatically generated as part of the
configure.sh -dare
option while adding node to cluster. It is not
required to create a dare.master.key
explicitly on nodes that are not
running the cldb
service or the zookeeper
service.
/opt/mapr/conf/token
folder. If the
/opt/mapr/conf/token
folder is accidentally deleted, the cluster or
fabric can be restored from the backed up /opt/mapr/conf/token
folder.In
case of upgrade of Cluster from 6.2.x to 7.x , the deployments still contain
cldb.key
/dare.master.key
. As part of the cluster
upgrade, the token
folder is generated and it encrypts the
cldb.key
or dare.master.key
.
mrhsm
commands, see mrhsm
commands.Note these important considerations:
- Instead of backing up the
cldb.key
anddare.master.key
as recommended in previous versions, you are encouraged to back up the${MAPR_HOME}/conf/tokens
directory as well as the${MAPR_HOME}/conf/maprhsm.conf
file. These are both essential to retrieve the keys. - During the configuration, you must copy the
${MAPR_HOME}/conf/tokens
directory and the${MAPR_HOME}/conf/maprhsm.conf
file to all CLDB nodes and Zookeeper nodes, instead of merely copying thecldb.key
anddare.master.key
files. - On MFS only nodes a
dare.master.key
file of size 0 KB gets generate automatically as part of theconfigure.sh -dare
option while adding node to cluster. MFS-only nodes still need an empty${MAPR_HOME}/conf/dare.master.key
file to detect that DARE is enabled. This file does NOT need to contain the actual key. It is NOT required to createdare.master.key
explicitly on nodes that are not running the CLDB service or Zookeeper service. - During an upgrade, the
cldb.key
anddare.master.key
are left intact and untouched even though we expect to have them stored in the PKCS#11 file store. It is a best practice to remove them from the node and store them in a safe location in case they are needed again.