Encrypting volumes by using dm-crypt
Encrypt volumes with dm-crypt
.
dm-crypt
provides transparent encryption of block devices. You can access the data immediately after you mount the device. For more information about dm-crypt
, see dm-crypt .
You can use dm-crypt
to encrypt volumes, and a passphrase or a key file to decrypt the volume. You can specify the key file when you restart the system.
Storage directories in IBM® Cloud Private
In IBM Cloud Private, you can use dm-crypt
to encrypt data-at-rest that is stored at the following locations:
- Kubernetes key value store -
/var/lib/etcd
- Kubernetes audit -
/var/lib/icp/audit
- MongoDB -
/var/lib/icp/mongodb
- Helm repository -
/var/lib/icp/helmrepo
- Vulnerability advisor (VA) -
/var/lib/icp/va
- Persistent volume for image manager -
/var/lib/registry
- Certificates and keys -
/etc/cfc
- MariaDB -
/var/lib/mysql
- Licenses -
/opt/ibm/cfc/license
- Software ID tags -
/opt/ibm/cfc/swidtag
- Persistent volume for logging -
/var/lib/icp/logging/elasticsearch
- Persistent volume for Prometheus -
<installation_directory>/dirforPrometheusServer
- Persistent volume for AlertManager -
<installation_directory>/dirforAlertManager
- Persistent volume for Grafana -
<installation_directory>/dirforGrafana
- IBM Cloud Private configuration -
<installation_directory>/cluster
You can encrypt the following directories to cover the storage locations in the preceding list:
/var/lib/etcd
/var/lib/icp
/var/lib/registry
/var/lib/mysql
/etc/cfc
/opt/ibm
-
<installation_directory>
Note: You can use
/opt/ibm
as the installation directory.
For more information about the disk space requirements for these directories, see Disk space requirements.
FIPS requirements
See the guidelines to meet Federal Information Processing Standards (FIPS) requirements:
-
For RHEL, see the following guidelines:
-
For Ubuntu, see Certification
- For SUSE Linux Enterprise Server (SLES), see Security certifications
Encrypting a directory
You must complete the following steps to encrypt the /var/lib/etcd
directory. You can encrypt any directory of your choice.
Prerequisites
Ensure that the following packages are installed on all the nodes of your IBM Cloud Private cluster:
-
On Red Hat Enterprise Linux (RHEL), you must install the following packages:
cryptsetup
device-mapper
-
util-linux
If the packages are not installed, run the following commands as a root user to install them:
yum install cryptsetup-luks
-
On Ubuntu, you must install the following packages:
cryptsetup
libdevmapper1
-
util-linux
If the packages are not installed, run these commands as a root user to install them:
apt-get install cryptsetup
Encrypting a volume
Complete the following steps as a root user to encrypt a volume:
-
Configure logical volume management (LVM) to store the encrypted data:
-
Run the following command to create a physical volume.
pvcreate <full path and name of the physical volume>
Your output might resemble the following content:
pvcreate /dev/sda1 Physical volume "/dev/sda1" successfully created.
-
Create a volume group. Run the following command:
vgcreate <name of the volume group> <full path to the physical volume>
Your output might resemble the following content:
vgcreate etcdvg /dev/sda1 Volume group "etcdvg" successfully created.
-
Run the following command to create a logical volume.
lvcreate -L <amount of space required> <name of the volume group> -n <name of the logical volume>
Your output might resemble the following content:
lvcreate -L4G etcdvg -n etcd Logical volume "etcd" created.
-
-
Create a dm-crypt LUKS Container in the volume, run the following command:
cryptsetup -y luksFormat <full path to the logical volume>
You can specify a passphrase for decrypting.
Your output might resemble the following content:
cryptsetup -y luksFormat /dev/etcdvg/etcd WARNING! ======== This will overwrite data on /dev/etcdvg/etcd irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
-
Open the LUKS container and map the logical volume to its path. Run the following command:
cryptsetup luksOpen <full path to the logical volume> <name of the logical volume>
Your output might resemble the following text:
cryptsetup luksOpen /dev/etcdvg/etcd etcd Enter passphrase for /dev/etcdvg/etcd:
-
Create a file system on the logical volume. You can use any file system. Run the following command to create an XFS file system:
mkfs.xfs /dev/mapper/<name of the logical volume>
Your output might resemble the following output:
mkfs.xfs /dev/mapper/etcd meta-data=/dev/mapper/etcd isize=512 agcount=4, agsize=262016 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=0, sparse=0 data = bsize=4096 blocks=1048064, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0 ftype=1 log =internal log bsize=4096 blocks=2560, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0
-
Create a mount location to mount the file system. Run the following command:
mkdir <mount location>
Your output might resemble the following content:
mkdir /var/lib/etcd
-
Run the following command to mount the file system.
mount /dev/mapper/<name of the logical volume> <mount location>
The example command would be as follows:
mount /dev/mapper/etcd /var/lib/etcd
To automatically mount between system restarts, add the following lines to the
/etc/crypttab
and/etc/fstab
files:-
Add the following line to the
/etc/crypttab
file:<name of the volume group> <full path to the logical volume> {none|<absolute_path_to_keyfile>} luks
If you used a passphrase for decrypting, add
none
. If you used a key file for decrypting, add the full path to the key file. Run the following example command:etcd /dev/etcdvg/etcd none luks
-
Add the following line to the
/etc/fstab
file:/dev/mapper/<name of the logical volume> <full path to the volume group> xfs defaults 0 2
Run the following example command:
/dev/mapper/etcd /var/lib/etcd xfs defaults 0 2
-
Next, continue to install IBM Cloud Private.