Encrypting volumes by using dm-crypt
Encrypt volumes with dm-crypt.
dm-crypt provides transparent encryption of block devices. You can access the data immediately after you mount the device. For more information about dm-crypt, see dm-crypt 
.
You can use dm-crypt to encrypt volumes, and a passphrase or a key file to decrypt the volume. You can specify the key file when you restart the system.
Storage directories in IBM® Cloud Private
In IBM Cloud Private, you can use dm-crypt to encrypt data-at-rest that is stored at the following locations:
- Kubernetes key value store -
/var/lib/etcd - Kubernetes audit -
/var/lib/icp/audit - MongoDB -
/var/lib/icp/mongodb - Helm repository -
/var/lib/icp/helmrepo - Vulnerability advisor (VA) -
/var/lib/icp/va - Persistent volume for image manager -
/var/lib/registry - Certificates and keys -
/etc/cfc - Licenses -
/opt/ibm/cfc/license - Software ID tags -
/opt/ibm/cfc/swidtag - Persistent volume for logging -
/var/lib/icp/logging/elasticsearch - Persistent volume for Prometheus -
<installation_directory>/dirforPrometheusServer - Persistent volume for AlertManager -
<installation_directory>/dirforAlertManager - Persistent volume for Grafana -
<installation_directory>/dirforGrafana - IBM Cloud Private configuration -
<installation_directory>/cluster
You can encrypt the following directories to cover the storage locations in the preceding list:
/var/lib/etcd/var/lib/icp/var/lib/registry/etc/cfc/opt/ibm-
<installation_directory>Note: You can use
/opt/ibmas the installation directory.
For more information about the disk space requirements for these directories, see Disk space requirements.
FIPS requirements
See the guidelines to meet Federal Information Processing Standards (FIPS) requirements:
-
For Red Hat Enterprise Linux (RHEL), see the following guidelines:
-
For Ubuntu, see Certification
- For SUSE Linux Enterprise Server (SLES), see Security certifications
Encrypting a directory
You must complete the following steps to encrypt the /var/lib/etcd directory. You can encrypt any directory of your choice.
Prerequisites
Ensure that the following packages are installed on all the nodes of your IBM Cloud Private cluster:
-
On RHEL, you must install the following packages:
cryptsetupdevice-mapper-
util-linuxIf the packages are not installed, run the following commands as a root user to install them:
yum install cryptsetup-luks
-
On Ubuntu, you must install the following packages:
cryptsetuplibdevmapper1-
util-linuxIf the packages are not installed, run these commands as a root user to install them:
apt-get install cryptsetup
Encrypting a volume
Complete the following steps as a root user to encrypt a volume:
-
Configure logical volume management (LVM) to store the encrypted data:
-
Run the following command to create a physical volume.
pvcreate <full path and name of the physical volume>Your output might resemble the following content:
pvcreate /dev/sda1 Physical volume "/dev/sda1" successfully created. -
Create a volume group. Run the following command:
vgcreate <name of the volume group> <full path to the physical volume>Your output might resemble the following content:
vgcreate etcdvg /dev/sda1 Volume group "etcdvg" successfully created. -
Run the following command to create a logical volume.
lvcreate -L <amount of space required> <name of the volume group> -n <name of the logical volume>Your output might resemble the following content:
lvcreate -L4G etcdvg -n etcd Logical volume "etcd" created.
-
-
Create a dm-crypt LUKS Container in the volume, run the following command:
cryptsetup -y luksFormat <full path to the logical volume>You can specify a passphrase for decrypting.
Your output might resemble the following content:
cryptsetup -y luksFormat /dev/etcdvg/etcd WARNING! ======== This will overwrite data on /dev/etcdvg/etcd irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: -
Open the LUKS container and map the logical volume to its path. Run the following command:
cryptsetup luksOpen <full path to the logical volume> <name of the logical volume>Your output might resemble the following text:
cryptsetup luksOpen /dev/etcdvg/etcd etcd Enter passphrase for /dev/etcdvg/etcd: -
Create a file system on the logical volume. You can use any file system. Run the following command to create an XFS file system:
mkfs.xfs /dev/mapper/<name of the logical volume>Your output might resemble the following output:
mkfs.xfs /dev/mapper/etcd meta-data=/dev/mapper/etcd isize=512 agcount=4, agsize=262016 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=0, sparse=0 data = bsize=4096 blocks=1048064, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0 ftype=1 log =internal log bsize=4096 blocks=2560, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 -
Create a mount location to mount the file system. Run the following command:
mkdir <mount location>Your output might resemble the following content:
mkdir /var/lib/etcd -
Run the following command to mount the file system.
mount /dev/mapper/<name of the logical volume> <mount location>The example command would be as follows:
mount /dev/mapper/etcd /var/lib/etcdTo automatically mount between system restarts, add the following lines to the
/etc/crypttaband/etc/fstabfiles:-
Add the following line to the
/etc/crypttabfile:<name of the volume group> <full path to the logical volume> {none|<absolute_path_to_keyfile>} luksIf you used a passphrase for decrypting, add
none. If you used a key file for decrypting, add the full path to the key file. Run the following example command:etcd /dev/etcdvg/etcd none luks -
Add the following line to the
/etc/fstabfile:/dev/mapper/<name of the logical volume> <full path to the volume group> xfs defaults 0 2Run the following example command:
/dev/mapper/etcd /var/lib/etcd xfs defaults 0 2
-
Next, continue to install IBM Cloud Private.