Important: If you are using SSH software other than OpenSSH, pre-create the SSH key before continuing:

$ sudo -u keytrustee ssh-keygen -t rsa -f /var/lib/keytrustee/.ssh/id_rsa

For new installations, use the Set up HDFS Data At Rest Encryption wizard and follow the instructions in Enabling HDFS Encryption Using the Wizard.

To set up Key Trustee Server manually, add the Key Trustee Server service to your cluster, following the instructions in Adding a Service. When customizing role assignments, assign only the Active Key Trustee Server and Active Database roles.

  Important: You must assign the Key Trustee Server and Database roles to the same host.

For parcel-based Key Trustee Server releases 5.8 and higher, Cloudera Manager automatically backs up Key Trustee Server (using the ktbackup.sh script) after adding the Key Trustee Server service. It also schedules automatic backups using cron. For package-based installations, you must manually back up Key Trustee Server and configure a cron job.

Cloudera Manager configures cron to run the backup script hourly. The latest ten backups are retained in /var/lib/keytrustee in cleartext. For information about using the backup script and configuring the cron job (including how to encrypt backups), see Backing Up Key Trustee Server and Key Trustee KMS Using the ktbackup.sh Script.

To initialize a standalone Key Trustee Server, run the following commands on the Key Trustee Server:

  Important: For Key Trustee Server 5.4.0 and higher, the ktadmin init-master command is deprecated. Use the ktadmin init command instead. If you are using SSH software other than OpenSSH, pre-create the SSH key before continuing:

$ sudo -u keytrustee ssh-keygen -t rsa /var/lib/keytrustee/.ssh/id_rsa

$ sudo ktadmin init --external-address keytrustee.example.com
$ sudo ktadmin db --bootstrap --port 11381 --pg-rootdir /var/lib/keytrustee/db
## For RHEL/CentOS 7, use 'sudo systemctl [stop|start] <service_name>' instead of 'sudo service <service_name> [stop|start]' ##
$ sudo service keytrustee-db stop
$ sudo service keytrustee-db start
$ sudo service keytrusteed start
$ sudo chkconfig keytrustee-db on
$ sudo chkconfig keytrusteed on

Replace keytrustee.example.com with the fully qualified domain name (FQDN) of the Key Trustee Server, and /var/lib/keytrustee/db with the path to the directory you want to use to store the PostgreSQL database.

To use a different port for the database, modify the ktadmin init and ktadmin db commands as follows:

$ sudo ktadmin init --external-address keytrustee.example.com --db-connect postgresql://localhost:<port>/keytrustee?host=/tmp
$ sudo ktadmin db --bootstrap --port <port> --pg-rootdir /var/lib/keytrustee/db

ARGS="--pg-rootdir /path/to/db"

The ktadmin init command initializes the Key Trustee configuration directory (/var/lib/keytrustee/.keytrustee by default) and generates a self-signed certificate that Key Trustee Server uses for HTTPS communication.

The ktadmin db --bootstrap command initializes the database in the directory specified by the --pg-rootdir parameter.

The sudo service keytrustee-db stop and sudo service keytrustee-db stop commands restart the Key Trustee Server database.

The sudo service keytrusteed start command starts Key Trustee Server.

  Note: The /etc/init.d/postgresql script does not work when the PostgreSQL database is started by Key Trustee Server, and cannot be used to monitor the status of the database. Use /etc/init.d/keytrustee-db instead.

(Optional) Replace Self-Signed Certificate with CA-Signed Certificate

  Important: Key Trustee Server certificates must be issued to the fully qualified domain name (FQDN) of the Key Trustee Server host. If you are using CA-signed certificates, ensure that the generated certificates use the FQDN, and not the short name.

If you have a CA-signed certificate for Key Trustee Server, see Managing Key Trustee Server Certificates for instructions on how to replace the self-signed certificate.