Encrypting volumes that are used by IBM Cloud Private
Encrypt the file systems used by IBM Cloud Private with Linux® Unified Key Setup (LUKS) encryption in Linux. Ensure that your system has available disk space. See Disk space requirements for more information.
As you encrypt the directories that you want to use with IBM Cloud Private, one file system is encrypted and the following directories are mounted on to your encrypted file system:
- /etc/cfc
- /var/lib/etcd
- /var/lib/icp
- /var/lib/mysql
- /opt/ibm
- /var/lib/registry
- /var/lib/kubelet
-
/var/lib/docker
Note:
/var/lib/kubelet
and/var/lib/docker
are not required for your environment if you are encrypting IBM Cloud Private data-at-rest only.
To encrypt a file system on all of your IBM Cloud Private nodes, complete the following steps:
-
For the example,
/dev/vdb
is added to the system. To view the block devices in your environment, run the following command:lsblk
Your output might resemble the following content:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT vda 252:0 0 250G 0 disk ├─vda1 252:1 0 1G 0 part /boot └─vda2 252:2 0 248.9G 0 part ├─rhel-root 253:0 0 241G 0 lvm / └─rhel-swap 253:1 0 7.9G 0 lvm [SWAP] vdb 252:16 0 300G 0 disk
The
vda
disk has partitions that are created on it because it is used by the operating system. Thevdb
disk is currently not used. -
Create an encrypted file system on the unused
vdb
disk. Complete the following steps:-
Create a volume group, run the following command:
vgcreate CloudVG /dev/vdb
Your output might resemble the following text:
Physical volume "/dev/vdb" successfully created Volume group "CloudVG" successfully created
-
Create a logical volume that uses the available space on the unused drive. Run the following command:
lvcreate --size 250G --name Data CloudVG
Your output might resemble the following content:
Logical volume "Data" created
-
LUKS encryption requires a password to be associated with the encrypted volumes. Create a file that contains a password, run the following commands:
echo 'passw0rd' > /root/.luks_key chmod 400 /root/.luks_key
-
Run the following command to create a
dm-crypt
LUKS container in the volume with the key file:cryptsetup luksFormat --batch-mode --use-random /dev/CloudVG/Data /root/.luks_key
-
Open the LUKS container and map the logical volume to its path:
cryptsetup luksOpen --key-file /root/.luks_key /dev/CloudVG/Data luks-data
-
Create a file system on the logical volume (format the partition) and configure it to be mounted after your node reboots.
-
Create a file system on the logical volume. Run the following command:
mkfs.ext4 /dev/mapper/luks-data
-
Configure your file system to be mounted. Run the following commands:
echo "luks-data /dev/CloudVG/Data /root/.luks_key" >> /etc/crypttab echo "/dev/mapper/luks-data /data ext4 defaults 1 2" >> /etc/fstab
Note: It is not required to use the
ext4
file system. -
-
Verify that the encrypted volume was configured, run the following command:
cryptsetup status /dev/mapper/luks-data
Your output might resemble the following content:
/dev/mapper/luks-data is active. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits device: /dev/mapper/CloudVG-Data offset: 4096 sectors size: 524283904 sectors mode: read/write\
-
-
Create the directories that are used by IBM Cloud Private and mount them on to your encrypted file. Run the following commands:
-
Create a directory to mount the directories used by IBM Cloud Private on to your encrypted encrypted volume. Run the following command:
mkdir /data mount /dev/mapper/luks-data /data
- Create directories to mount on the encrypted volume. Run the following commands:
mkdir -p /var/lib/etcd /var/lib/icp /var/lib/registry /var/lib/kubelet /var/lib/docker /var/lib/mysql /etc/cfc /opt/ibm mkdir -p /data/var/lib/etcd /data/var/lib/icp /data/var/lib/registry /data/var/lib/kubelet /data/var/lib/docker /data/var/lib/mysql /data/etc/cfc /data/opt/ibm
-
Add the bind-mount entries to the
/etc/fstab
file. Run the following command:echo "/data/opt/ibm /opt/ibm none bind 0 0" >> /etc/fstab echo "/data/etc/cfc /etc/cfc none bind 0 0" >> /etc/fstab echo "/data/var/lib/mysql /var/lib/mysql none bind 0 0" >> /etc/fstab echo "/data/var/lib/registry /var/lib/registry none bind 0 0" >> /etc/fstab echo "/data/var/lib/kubelet /var/lib/kubelet none bind 0 0" >> /etc/fstab echo "/data/var/lib/docker /var/lib/docker none bind 0 0" >> /etc/fstab echo "/data/var/lib/icp /var/lib/icp none bind 0 0" >> /etc/fstab echo "/data/var/lib/etcd /var/lib/etcd none bind 0 0" >> /etc/fstab
-
Run the following commands to bind-mount the directories to the corresponding mapping in the
/data
file:mount --bind /data/var/lib/etcd /var/lib/etcd/ mount --bind /data/var/lib/icp/ /var/lib/icp/ mount --bind /data/var/lib/registry/ /var/lib/registry/ mount --bind /data/var/lib/docker/ /var/lib/docker/ mount --bind /data/var/lib/kubelet/ /var/lib/kubelet/ mount --bind /data/var/lib/mysql/ /var/lib/mysql/ mount --bind /data/etc/cfc/ /etc/cfc/ mount --bind /data/opt/ibm/ /opt/ibm/
-
-
Reboot your node. After you reboot your node, the bind mounts are automatically recreated. Run the following command:
reboot
-
After you reboot your node, log in and verify that the directories are all mounted on the
/data
file system. Run the following command:mount | grep luks-data
Your output might resemble the following content:
/dev/mapper/luks-data on /data type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /var/lib/etcd type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /var/lib/kubelet type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /opt/ibm type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /var/lib/icp type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /var/lib/registry type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /var/lib/docker type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /etc/cfc type ext4 (rw,relatime,data=ordered) /dev/mapper/luks-data on /var/lib/mysql type ext4 (rw,relatime,data=ordered)
For more information about IBM Cloud Private disk requirements, see Encrypting volumes by using dm-crypt.
Continue to implement and enable FIPS for the example. See Example: Enabling FIPS in IBM Cloud Private for more details.