Re: Secure data

2018-08-07 Thread rajpal reddy 
Hi Jon,

Was trying the LUKS  encryption following the Doc. 
https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/
 

 on ec2 i3.large machine.
i don’t see the disk mounted.  and see the mapper being at 100%. do you see 
anything wrong following below statements.
i see this error is /var/log/messages
 ERROR [instanceID=i-0de508d7fc188ab20] [MessagingDeliveryService] 
[Association] Unable to load instance associations, unable to retrieve 
associations unable to retrieve associations NoCredentialProviders: no valid 
providers in chain. Deprecated

df -h /dev/mapper/
Filesystem  Size  Used Avail Use% Mounted on
devtmpfs7.5G  7.5G 0 100% /dev

#!/bin/bash

## Initial setup to be executed on boot
##

# Create an empty file. This file will be used to host the file system.
# In this example we create a 2 GB file called secretfs (Secret File System).
dd of=secretfs bs=1G count=0 seek=2
# Lock down normal access to the file.
chmod 600 secretfs
# Associate a loopback device with the file.
losetup /dev/nvme0 secretfs
#Copy encrypted password file from S3. The password is used to configure LUKE 
later on.
aws s3 cp s3://mybucket/LuksInternalStorageKey .
# Decrypt the password from the file with KMS, save the secret password in 
LuksClearTextKey
LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob 
fileb://LuksInternalStorageKey --output text --query Plaintext | base64 
--decode)
# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/secretfs.
# Initialize the volume and set an initial key.
echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/nvme0
# Open the partition, and create a mapping to /dev/mapper/secretfs.
echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/nvme0 secretfs
# Clear the LuksClearTextKey variable because we don't need it anymore.
unset LuksClearTextKey
# Check its status (optional).
cryptsetup status secretfs
# Zero out the new encrypted device.
dd if=/dev/zero of=/dev/mapper/secretfs
# Create a file system and verify its status.
mke2fs -j -O dir_index /dev/mapper/secretfs
# List file system configuration (optional).
tune2fs -l /dev/mapper/secretfs
# Mount the new file system to /data_e/secretfs.
sudo mkdir /data_e/secretfs
sudo mount /dev/mapper/secretfs /data_e/secretfs


> On Aug 1, 2018, at 3:38 PM, Jonathan Haddad  wrote:
> 
> You can also get full disk encryption with LUKS, which I've used before.
> 
> On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa  > wrote:
> EBS encryption worked well on gp2 volumes (never tried it on any others)
> 
> -- 
> Jeff Jirsa
> 
> 
> On Aug 1, 2018, at 7:57 AM, Rahul Reddy  > wrote:
> 
>> Hello,
>> 
>> Any one tried aws ec2 volume encryption for Cassandra instances?
>> 
>> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy > > wrote:
>> Hello,
>> 
>> I'm trying to find a good document on to enable encryption for Apache 
>> Cassandra  (not on dse) tables and commilogs and store the keystore in kms 
>> or vault. If any of you already configured please direct me to documentation 
>> for it.
> 
> 
> -- 
> Jon Haddad
> http://www.rustyrazorblade.com 
> twitter: rustyrazorblade

Re: Secure data

2018-08-01 Thread Rahul Reddy 
Thanks Jonathan/been/Jeff,

Will look into encrypting in application

On Wed, Aug 1, 2018, 7:52 PM Jonathan Haddad  wrote:

> Ben has a good point here.  There's an advantage to encrypting in the
> application, you can encrypt data per-account / user / [some other thing].
> It's possible to revoke all access to all the data for a particular
> [whatever] by simply deleting the encryption key.
>
> Lots of options available.
>
> On Wed, Aug 1, 2018 at 4:39 PM Ben Slater 
> wrote:
>
>> My recommendation is generally to look at encrypting in your application
>> as it’s likely to be overall more secure than DB-level encryption anyway
>> (generally the closer to the user you encrypt the better). I wrote a blog
>> on this last year:
>> https://www.instaclustr.com/securing-apache-cassandra-with-application-level-encryption/
>>
>> We also use encrypted GP2 EBS pretty widely without issue.
>>
>> Cheers
>> Ben
>>
>> On Thu, 2 Aug 2018 at 05:38 Jonathan Haddad  wrote:
>>
>>> You can also get full disk encryption with LUKS, which I've used before.
>>>
>>> On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa  wrote:
>>>
 EBS encryption worked well on gp2 volumes (never tried it on any others)

 --
 Jeff Jirsa


 On Aug 1, 2018, at 7:57 AM, Rahul Reddy 
 wrote:

 Hello,

 Any one tried aws ec2 volume encryption for Cassandra instances?

 On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy 
 wrote:

> Hello,
>
> I'm trying to find a good document on to enable encryption for Apache
> Cassandra  (not on dse) tables and commilogs and store the keystore in kms
> or vault. If any of you already configured please direct me to
> documentation for it.
>

>>>
>>> --
>>> Jon Haddad
>>> http://www.rustyrazorblade.com
>>> twitter: rustyrazorblade
>>>
>> --
>>
>>
>> *Ben Slater*
>>
>> *Chief Product Officer *
>>
>> 
>> 
>> 
>>
>> Read our latest technical blog posts here
>> .
>>
>> This email has been sent on behalf of Instaclustr Pty. Limited
>> (Australia) and Instaclustr Inc (USA).
>>
>> This email and any attachments may contain confidential and legally
>> privileged information.  If you are not the intended recipient, do not copy
>> or disclose its content, but please reply to this email immediately and
>> highlight the error to the sender and then immediately delete the message.
>>
>
>
> --
> Jon Haddad
> http://www.rustyrazorblade.com
> twitter: rustyrazorblade
>

Re: Secure data

2018-08-01 Thread Jonathan Haddad 
Ben has a good point here.  There's an advantage to encrypting in the
application, you can encrypt data per-account / user / [some other thing].
It's possible to revoke all access to all the data for a particular
[whatever] by simply deleting the encryption key.

Lots of options available.

On Wed, Aug 1, 2018 at 4:39 PM Ben Slater 
wrote:

> My recommendation is generally to look at encrypting in your application
> as it’s likely to be overall more secure than DB-level encryption anyway
> (generally the closer to the user you encrypt the better). I wrote a blog
> on this last year:
> https://www.instaclustr.com/securing-apache-cassandra-with-application-level-encryption/
>
> We also use encrypted GP2 EBS pretty widely without issue.
>
> Cheers
> Ben
>
> On Thu, 2 Aug 2018 at 05:38 Jonathan Haddad  wrote:
>
>> You can also get full disk encryption with LUKS, which I've used before.
>>
>> On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa  wrote:
>>
>>> EBS encryption worked well on gp2 volumes (never tried it on any others)
>>>
>>> --
>>> Jeff Jirsa
>>>
>>>
>>> On Aug 1, 2018, at 7:57 AM, Rahul Reddy 
>>> wrote:
>>>
>>> Hello,
>>>
>>> Any one tried aws ec2 volume encryption for Cassandra instances?
>>>
>>> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy 
>>> wrote:
>>>
 Hello,

 I'm trying to find a good document on to enable encryption for Apache
 Cassandra  (not on dse) tables and commilogs and store the keystore in kms
 or vault. If any of you already configured please direct me to
 documentation for it.

>>>
>>
>> --
>> Jon Haddad
>> http://www.rustyrazorblade.com
>> twitter: rustyrazorblade
>>
> --
>
>
> *Ben Slater*
>
> *Chief Product Officer *
>
>    
>
>
> Read our latest technical blog posts here
> .
>
> This email has been sent on behalf of Instaclustr Pty. Limited (Australia)
> and Instaclustr Inc (USA).
>
> This email and any attachments may contain confidential and legally
> privileged information.  If you are not the intended recipient, do not copy
> or disclose its content, but please reply to this email immediately and
> highlight the error to the sender and then immediately delete the message.
>


-- 
Jon Haddad
http://www.rustyrazorblade.com
twitter: rustyrazorblade

Re: Secure data

2018-08-01 Thread Ben Slater 
My recommendation is generally to look at encrypting in your application as
it’s likely to be overall more secure than DB-level encryption anyway
(generally the closer to the user you encrypt the better). I wrote a blog
on this last year:
https://www.instaclustr.com/securing-apache-cassandra-with-application-level-encryption/

We also use encrypted GP2 EBS pretty widely without issue.

Cheers
Ben

On Thu, 2 Aug 2018 at 05:38 Jonathan Haddad  wrote:

> You can also get full disk encryption with LUKS, which I've used before.
>
> On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa  wrote:
>
>> EBS encryption worked well on gp2 volumes (never tried it on any others)
>>
>> --
>> Jeff Jirsa
>>
>>
>> On Aug 1, 2018, at 7:57 AM, Rahul Reddy  wrote:
>>
>> Hello,
>>
>> Any one tried aws ec2 volume encryption for Cassandra instances?
>>
>> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy 
>> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to find a good document on to enable encryption for Apache
>>> Cassandra  (not on dse) tables and commilogs and store the keystore in kms
>>> or vault. If any of you already configured please direct me to
>>> documentation for it.
>>>
>>
>
> --
> Jon Haddad
> http://www.rustyrazorblade.com
> twitter: rustyrazorblade
>
-- 


*Ben Slater*

*Chief Product Officer *

   


Read our latest technical blog posts here
.

This email has been sent on behalf of Instaclustr Pty. Limited (Australia)
and Instaclustr Inc (USA).

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy
or disclose its content, but please reply to this email immediately and
highlight the error to the sender and then immediately delete the message.

Re: Secure data

2018-08-01 Thread Jonathan Haddad 
You can also get full disk encryption with LUKS, which I've used before.

On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa  wrote:

> EBS encryption worked well on gp2 volumes (never tried it on any others)
>
> --
> Jeff Jirsa
>
>
> On Aug 1, 2018, at 7:57 AM, Rahul Reddy  wrote:
>
> Hello,
>
> Any one tried aws ec2 volume encryption for Cassandra instances?
>
> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy 
> wrote:
>
>> Hello,
>>
>> I'm trying to find a good document on to enable encryption for Apache
>> Cassandra  (not on dse) tables and commilogs and store the keystore in kms
>> or vault. If any of you already configured please direct me to
>> documentation for it.
>>
>

-- 
Jon Haddad
http://www.rustyrazorblade.com
twitter: rustyrazorblade

Re: Secure data

2018-08-01 Thread Jeff Jirsa 
EBS encryption worked well on gp2 volumes (never tried it on any others)

-- 
Jeff Jirsa


> On Aug 1, 2018, at 7:57 AM, Rahul Reddy  wrote:
> 
> Hello,
> 
> Any one tried aws ec2 volume encryption for Cassandra instances?
> 
>> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy  wrote:
>> Hello,
>> 
>> I'm trying to find a good document on to enable encryption for Apache 
>> Cassandra  (not on dse) tables and commilogs and store the keystore in kms 
>> or vault. If any of you already configured please direct me to documentation 
>> for it.

Re: Secure data

2018-08-01 Thread Rahul Reddy 
Hello,

Any one tried aws ec2 volume encryption for Cassandra instances?

On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy  wrote:

> Hello,
>
> I'm trying to find a good document on to enable encryption for Apache
> Cassandra  (not on dse) tables and commilogs and store the keystore in kms
> or vault. If any of you already configured please direct me to
> documentation for it.
>

Secure data

2018-07-31 Thread Rahul Reddy 
Hello,

I'm trying to find a good document on to enable encryption for Apache
Cassandra  (not on dse) tables and commilogs and store the keystore in kms
or vault. If any of you already configured please direct me to
documentation for it.