Your goal is to prepare a workload for running as securely as possible in the
cloud.
Before you begin
You require an encryption process of your choice for your data. Data here means everything except the boot image.
Important:
Do not use logical volumes together with encryption. If your distribution uses a
logical volume setup by default, select a manual or expert storage setup to ensure that data is
stored directly on LUKS
volumes.
If logical volumes are required, use unique volume and non-predictable volume names.
For example, use random names or UUIDs as generated with uuidgen. Multiple
volumes with the same name can result in the wrong volume being mounted. With a known or easily
guessed volume name, an attacker might be able to mount an unencrypted, malicious file system.
About this task
To prepare your workload for running securely in the cloud, you need to secure all parts of it.
Start by securing the data volumes.
Procedure
Work in a trusted mainframe environment.
Prepare your data image.
The data and the boot information can be on the same or different disk images.
Encrypt the
data partition of your disk with the encryption process of your choice.
Tip: Use the operating system installer to encrypt the root filesystem, however, do not use
the default of logical volumes with LUKS encryption, see Important note in Before you
begin.
Ensure that the required keys and passphrases are available to the boot
process.
Save references to keys (plain format) or pass phrases (LUKS/LUKS2) for each volume in
the /etc/crypttab configuration file.
Include the /etc/crypttab configuration file in the initial RAM
file system.
Because the initial RAM file system will be encrypted, it can
hold keys and pass phrases without compromising security.
Results
As shown in Figure 1, the
workload data is encrypted, and the keys are stored in the bootable image.
Figure 1. Data volumes for a workload need to be encrypted, using, for
example, pervasive encryption
