Managing disk encryption keys for Elasticsearch index volumes

IBM® StoredIQ® uses LUKS to encrypt the disk volume on which the Elasticsearch indexes are stored. You can add your own private keys or passphrases to the LUKS encryption system, or even remove the encryption key that is generated when the cluster is set up.

Before you begin

You must be an administrator with root access to be able to complete this procedure.

About this task

To protect the private key from unauthorized access, complete the following steps.

LUKS provides eight slots to specify the encryption keys. You can manage keys and passphrases by using the cryptsetup command.

Procedure

  1. Check which device is encrypted by running the following command: 
    [builder@hostname ~]$ su 
Password: 
[root@hostname builder]$ blkid -t TYPE=crypto_LUKS
    The output looks similar to what is shown in this example:
    /dev/sdb1: UUID="3755df51-cf96-46d9-b5b1-b301a0284bc8" TYPE="crypto_LUKS" PARTLABEL="primary" PARTUUID="66715c0d-0e22-4e44-a5a3-cd5cd9bbdb5f"

    By default, the encrypted device should be /dev/sdb1.

  2. Check the LUKS key slots to detect which slots are enabled and which slots are disabled. 
    [root@hostname ~]# cryptsetup luksDump /dev/sdb1 | grep "Key Slot"
    The output looks similar to what is shown in the example:
    Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: ...
  3. Add a new passphrase.
    • Add a new passphrase to the next available key slot. 
      [root@hostname ~]# cryptsetup luksAddKey /dev/sdb1 -d /root/siq-elasticsearch-luks.key
Enter new passphrase for key slot: 
Verify passphrase:
      Check again which key slots are enabled and which ones are disabled:
      [root@hostname]# cryptsetup luksDump /dev/sdb1 | grep "Key Slot"
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: ...
      To remove the passphrase from this slot, you can use this command:
      [root@hostname ~]# cryptsetup luksKillSlot /dev/sdb1 1 -d /root/siq-elasticsearch-luks.key
      Check again which key slots are enabled and which ones are disabled:
      [root@hostname]# cryptsetup luksDump /dev/sdb1 | grep "Key Slot"
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: ...
    • You can also add the passphrase to a specific slot by using the -S option.
      [root@hostname ~]# cryptsetup luksAddKey /dev/sdb1 -S 3 -d /root/siq-elasticsearch-luks.key
Enter new passphrase for key slot: 
Verify passphrase:
      Check again which key slots are enabled and which ones are disabled:
      [root@hostname]# cryptsetup luksDump /dev/sdb1 | grep "Key Slot"
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: ENABLED
Key Slot 4: ...
  4. Instead of using a passphrase, you can use a secret key file.
    1. Copy your secret key file to the /root folder.
      You can create a random key file by running this command, where siq-elasticsearch-luks-new.key is the name of the new key file:
      dd if=/dev/random of=/root/siq-elasticsearch-luks-new.key bs=2048 count=1
    2. Change the file permission for this file so that only the root user has read access to it: 
      [root@hostname ~]# chmod 0400 /root/siq-elasticsearch-luks-new.key
    3. Add the key to the next available key slot. 
      [root@hostname ~]# cryptsetup luksAddKey /dev/sdb1 /root/siq-elasticsearch-luks-new.key -d /root/siq-elasticsearch-luks.key
    4. Check the key slots. 
      [root@hostname ~]# cryptsetup luksDump /dev/sdb1 | grep "Key Slot"
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: ...
    5. Add the new key file to the /etc/crypttab file.
      The updated file should look similar to the example:
      siq-elasticsearch-luks UUID=4f2a067d-6604-46a5-8d0b-8a387a40198b /root/siq-elasticsearch-luks.key luks
siq-elasticsearch-luks UUID=4f2a067d-6604-46a5-8d0b-8a387a40198b /root/siq-elasticsearch-luks-new.key luks
  5. Optional: Remove the key that is shipped with the product for immediate use.
    1. Delete the key from slot 0: 
      [root@hostname ~]# cryptsetup luksKillSlot /dev/sdb1 0 -d /root/siq-elasticsearch-luks-new.key
    2. Make sure key slot 0 is disabled: 
      [root@hostname ~]# cryptsetup luksDump /dev/sdb1 | grep "Key Slot"
Key Slot 0: DISABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: ...
    3. Delete the /root/siq-elasticsearch-luks.key entry from the /etc/crypttab file so that is just contains the /root/siq-elasticsearch-luks-new.key entry: 
      siq-elasticsearch-luks UUID=4f2a067d-6604-46a5-8d0b-8a387a40198b /root/siq-elasticsearch-luks-new.key luks

    If you set a passphrase instead of using a key file,and remove the default key file, you will have to provide this passphrase on each start of the VM.

    Important: If you remove a key without adding a new key or a passphrase, you will lock yourself out of the encrypted device. In this case, you will no longer be able to access the device and the data that is stored on this encrypted device is permanently lost.