Encrypting volumes that are used by IBM Cloud Private

Encrypt the file systems used by IBM Cloud Private with Linux® Unified Key Setup (LUKS) encryption in Linux. Ensure that your system has available disk space. See Disk space requirements for more information.

As you encrypt the directories that you want to use with IBM Cloud Private, one file system is encrypted and the following directories are mounted on to your encrypted file system:

• /etc/cfc
• /var/lib/etcd
• /var/lib/icp
• /var/lib/mysql
• /opt/ibm
• /var/lib/registry
• /var/lib/kubelet

• /var/lib/docker

  Note: /var/lib/kubelet and /var/lib/docker are not required for your environment if you are encrypting IBM Cloud Private data-at-rest only.

To encrypt a file system on all of your IBM Cloud Private nodes, complete the following steps:

1. For the example, /dev/vdb is added to the system. To view the block devices in your environment, run the following command:

    lsblk
   

   Your output might resemble the following content:

    NAME          MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT 
   
    vda           252:0    0   250G  0 disk 
   
    ├─vda1        252:1    0     1G  0 part /boot 
   
    └─vda2        252:2    0 248.9G  0 part 
   
        ├─rhel-root 253:0    0   241G  0 lvm  / 
   
        └─rhel-swap 253:1    0   7.9G  0 lvm  [SWAP]
    vdb           252:16   0   300G  0 disk
   

   The vda disk has partitions that are created on it because it is used by the operating system. The vdb disk is currently not used.

2. Create an encrypted file system on the unused vdb disk. Complete the following steps:

   • Create a volume group, run the following command:

     vgcreate CloudVG /dev/vdb
     

     Your output might resemble the following text:

     Physical volume "/dev/vdb" successfully created
     Volume group "CloudVG" successfully created
     

   • Create a logical volume that uses the available space on the unused drive. Run the following command:

     lvcreate --size 250G --name Data CloudVG
     

     Your output might resemble the following content:

     Logical volume "Data" created
     

   • LUKS encryption requires a password to be associated with the encrypted volumes. Create a file that contains a password, run the following commands:

     echo 'passw0rd' > /root/.luks_key
     
     chmod 400 /root/.luks_key
     

   • Run the following command to create a dm-crypt LUKS container in the volume with the key file:

     cryptsetup luksFormat --batch-mode --use-random /dev/CloudVG/Data /root/.luks_key
     

   • Open the LUKS container and map the logical volume to its path:

     cryptsetup luksOpen --key-file /root/.luks_key /dev/CloudVG/Data luks-data
     

   • Create a file system on the logical volume (format the partition) and configure it to be mounted after your node reboots.

     • Create a file system on the logical volume. Run the following command:

       mkfs.ext4 /dev/mapper/luks-data
       

     • Configure your file system to be mounted. Run the following commands:

       echo "luks-data /dev/CloudVG/Data /root/.luks_key" >> /etc/crypttab 
       
       echo "/dev/mapper/luks-data    /data    ext4    defaults    1 2" >> /etc/fstab
       

     Note: It is not required to use the ext4 file system.

   • Verify that the encrypted volume was configured, run the following command:

     cryptsetup status /dev/mapper/luks-data
     

     Your output might resemble the following content:

     /dev/mapper/luks-data is active. type:    LUKS1
     cipher:  aes-xts-plain64
     keysize: 256 bits
     device:  /dev/mapper/CloudVG-Data offset:  4096 sectors
     size:    524283904 sectors
     mode:    read/write\
     

3. Create the directories that are used by IBM Cloud Private and mount them on to your encrypted file. Run the following commands:

   • Create a directory to mount the directories used by IBM Cloud Private on to your encrypted encrypted volume. Run the following command:

     mkdir /data 
     mount /dev/mapper/luks-data /data
     

     • Create directories to mount on the encrypted volume. Run the following commands:

     mkdir -p /var/lib/etcd /var/lib/icp /var/lib/registry /var/lib/kubelet /var/lib/docker /var/lib/mysql /etc/cfc /opt/ibm 
     
     mkdir -p /data/var/lib/etcd /data/var/lib/icp /data/var/lib/registry /data/var/lib/kubelet /data/var/lib/docker /data/var/lib/mysql /data/etc/cfc /data/opt/ibm
     

     • Add the bind-mount entries to the /etc/fstab file. Run the following command:

       echo "/data/opt/ibm /opt/ibm none bind 0 0" >> /etc/fstab 
       echo "/data/etc/cfc /etc/cfc none bind 0 0" >> /etc/fstab 
       echo "/data/var/lib/mysql /var/lib/mysql none bind 0 0" >> /etc/fstab 
       echo "/data/var/lib/registry /var/lib/registry none bind 0 0" >> /etc/fstab 
       echo "/data/var/lib/kubelet /var/lib/kubelet none bind 0 0" >> /etc/fstab 
       echo "/data/var/lib/docker /var/lib/docker none bind 0 0" >> /etc/fstab 
       echo "/data/var/lib/icp /var/lib/icp none bind 0 0" >> /etc/fstab 
       echo "/data/var/lib/etcd /var/lib/etcd none bind 0 0" >> /etc/fstab
       

     • Run the following commands to bind-mount the directories to the corresponding mapping in the /data file:

       mount --bind /data/var/lib/etcd /var/lib/etcd/ 
       mount --bind /data/var/lib/icp/ /var/lib/icp/ 
       mount --bind /data/var/lib/registry/ /var/lib/registry/ 
       mount --bind /data/var/lib/docker/ /var/lib/docker/ 
       mount --bind /data/var/lib/kubelet/ /var/lib/kubelet/ 
       mount --bind /data/var/lib/mysql/ /var/lib/mysql/ 
       mount --bind /data/etc/cfc/ /etc/cfc/ 
       mount --bind /data/opt/ibm/ /opt/ibm/
       

4. Reboot your node. After you reboot your node, the bind mounts are automatically recreated. Run the following command:

   reboot
   

5. After you reboot your node, log in and verify that the directories are all mounted on the /data file system. Run the following command:

   mount | grep luks-data
   

   Your output might resemble the following content:

   /dev/mapper/luks-data on /data type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /var/lib/etcd type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /var/lib/kubelet type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /opt/ibm type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /var/lib/icp type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /var/lib/registry type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /var/lib/docker type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /etc/cfc type ext4 (rw,relatime,data=ordered) 
   /dev/mapper/luks-data on /var/lib/mysql type ext4 (rw,relatime,data=ordered)
   

For more information about IBM Cloud Private disk requirements, see Encrypting volumes by using dm-crypt.

Continue to implement and enable FIPS for the example. See Example: Enabling FIPS in IBM Cloud Private for more details.