Encrypting volumes by using dm-crypt
Encrypt volumes.
dm-crypt provides transparent encryption of block devices. You can access the data immediately after you mount the device. For more information about dm-crypt, see https://wiki.archlinux.org/index.php/dm-crypt 
.
You can use dm-crypt to encrypt volumes, and a passphrase or a key file to decrypt the volume. You can specify the key file when you restart the system.
Storage directories in IBM® Cloud Private
In IBM Cloud Private, you can use dm-crypt to encrypt data-at-rest that is stored at the following locations:
- Kubernetes key value store -
/var/lib/etcd - Kubernetes audit -
/var/lib/icp/audit - MongoDB -
/var/lib/icp/mongodb - Helm repository -
/var/lib/icp/helmrepo - Vulnerability advisor (VA) -
/var/lib/icp/va - Persistent volume for image manager -
/var/lib/registry - Certificates and keys -
/etc/cfc - MariaDB -
/var/lib/mysql - Licenses -
/opt/ibm/cfc/license - Software ID tags -
/opt/ibm/cfc/swidtag - Persistent volume for logging -
/var/lib/icp/logging/elasticsearch - Persistent volume for Prometheus -
<installation_directory>/dirforPrometheusServer - Persistent volume for AlertManager -
<installation_directory>/dirforAlertManager - Persistent volume for Grafana -
<installation_directory>/dirforGrafana - IBM Cloud Private configuration -
<installation_directory>/cluster
You can encrypt the following directories to cover the storage locations in the preceding list:
/var/lib/etcd/var/lib/icp/var/lib/registry/var/lib/mysql/etc/cfc/opt/ibm<installation_directory>
Note: You can use/opt/ibmas the installation directory.
For more information about the disk space requirements for these directories, see Disk space requirements.
FIPS compliance
If you want to make the encryption compliant with Federal Information Processing Standards (FIPS), follow these guidelines:
-
For RHEL, see the following guidelines:
-
For Ubuntu, see https://wiki.ubuntu.com/Security/Certification
- For SUSE Linux Enterprise Server (SLES), see https://www.suse.com/support/security/certifications/
Encrypting a directory
You must follow these instructions to encrypt a directory. Steps to encrypt the /var/lib/etcd data store are shown as an example. You can follow these steps to encrypt any directory of your choice.
Prerequisites
Ensure that the following packages are installed on all the nodes of your IBM Cloud Private cluster:
-
On Red Hat Enterprise Linux (RHEL), the following packages must be installed:
cryptsetupdevice-mapper-
util-linuxIf the packages are not installed, run these commands as a root user to install them:
yum install cryptsetup-luks
-
On Ubuntu, the following packages must be installed:
cryptsetuplibdevmapper1-
util-linuxIf the packages are not installed, run these commands as a root user to install them:
apt-get install cryptsetup
Encrypting a volume
Run these commands as a root user:
-
Configure logical volume management (LVM) to store the encrypted data:
-
Create a physical volume.
pvcreate <full path and name of the physical volume>Example command and output:
pvcreate /dev/sda1 Physical volume "/dev/sda1" successfully created. -
Create a volume group.
vgcreate <name of the volume group> <full path to the physical volume>Example command and output:
vgcreate etcdvg /dev/sda1 Volume group "etcdvg" successfully created. -
Create a logical volume.
lvcreate -L <amount of space required> <name of the volume group> -n <name of the logical volume>Example command and output:
lvcreate -L4G etcdvg -n etcd Logical volume "etcd" created.
-
-
Create a dm-crypt LUKS Container in the volume.
cryptsetup -y luksFormat <full path to the logical volume>If you want to use a passphrase for decrypting, you can specify it now.
Following is an example command and output:
cryptsetup -y luksFormat /dev/etcdvg/etcd WARNING! ======== This will overwrite data on /dev/etcdvg/etcd irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: -
Open the LUKS container and map the logical volume to its path.
cryptsetup luksOpen <full path to the logical volume> <name of the logical volume>Following is an example command and output:
cryptsetup luksOpen /dev/etcdvg/etcd etcd Enter passphrase for /dev/etcdvg/etcd: -
Create a file system on the logical volume. You can use any file system. The command here is for using an XFS file system.
mkfs.xfs /dev/mapper/<name of the logical volume>Following is an example command and output:
mkfs.xfs /dev/mapper/etcd meta-data=/dev/mapper/etcd isize=512 agcount=4, agsize=262016 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=0, sparse=0 data = bsize=4096 blocks=1048064, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0 ftype=1 log =internal log bsize=4096 blocks=2560, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 -
Create a mount location to mount the file system.
mkdir <mount location>Example command and output:
mkdir /var/lib/etcd -
Mount the file system.
mount /dev/mapper/<name of the logical volume> <mount location>The example command would be as follows:
mount /dev/mapper/etcd /var/lib/etcdTo automatically mount between system restarts, add the following lines to the
/etc/crypttaband/etc/fstabfiles:-
Add the following line to the
/etc/crypttabfile:<name of the volume group> <full path to the logical volume> {none|<absolute_path_to_keyfile>} luksWhere, add
noneif you used a passphrase for decrypting, or add the full path to the key file, if you used a key file for decrypting.Following is a sample code:
etcd /dev/etcdvg/etcd none luks -
Add the following line to the
/etc/fstabfile:/dev/mapper/<name of the logical volume> <full path to the volume group> xfs defaults 0 2Following is a sample code:
/dev/mapper/etcd /var/lib/etcd xfs defaults 0 2
-
Next, continue with installing IBM Cloud Private.