Hi Jon, Was trying the LUKS encryption following the Doc. https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/ <https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/> on ec2 i3.large machine. i don’t see the disk mounted. and see the mapper being at 100%. do you see anything wrong following below statements. i see this error is /var/log/messages ERROR [instanceID=i-0de508d7fc188ab20] [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations NoCredentialProviders: no valid providers in chain. Deprecated
df -h /dev/mapper/ Filesystem Size Used Avail Use% Mounted on devtmpfs 7.5G 7.5G 0 100% /dev #!/bin/bash ## Initial setup to be executed on boot ##==================================== # Create an empty file. This file will be used to host the file system. # In this example we create a 2 GB file called secretfs (Secret File System). dd of=secretfs bs=1G count=0 seek=2 # Lock down normal access to the file. chmod 600 secretfs # Associate a loopback device with the file. losetup /dev/nvme0 secretfs #Copy encrypted password file from S3. The password is used to configure LUKE later on. aws s3 cp s3://mybucket/LuksInternalStorageKey . # Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode) # Encrypt storage in the device. cryptsetup will use the Linux # device mapper to create, in this case, /dev/mapper/secretfs. # Initialize the volume and set an initial key. echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/nvme0 # Open the partition, and create a mapping to /dev/mapper/secretfs. echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/nvme0 secretfs # Clear the LuksClearTextKey variable because we don't need it anymore. unset LuksClearTextKey # Check its status (optional). cryptsetup status secretfs # Zero out the new encrypted device. dd if=/dev/zero of=/dev/mapper/secretfs # Create a file system and verify its status. mke2fs -j -O dir_index /dev/mapper/secretfs # List file system configuration (optional). tune2fs -l /dev/mapper/secretfs # Mount the new file system to /data_e/secretfs. sudo mkdir /data_e/secretfs sudo mount /dev/mapper/secretfs /data_e/secretfs > On Aug 1, 2018, at 3:38 PM, Jonathan Haddad <j...@jonhaddad.com> wrote: > > You can also get full disk encryption with LUKS, which I've used before. > > On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa <jji...@gmail.com > <mailto:jji...@gmail.com>> wrote: > EBS encryption worked well on gp2 volumes (never tried it on any others) > > -- > Jeff Jirsa > > > On Aug 1, 2018, at 7:57 AM, Rahul Reddy <rahulreddy1...@gmail.com > <mailto:rahulreddy1...@gmail.com>> wrote: > >> Hello, >> >> Any one tried aws ec2 volume encryption for Cassandra instances? >> >> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy <rahulreddy1...@gmail.com >> <mailto:rahulreddy1...@gmail.com>> wrote: >> Hello, >> >> I'm trying to find a good document on to enable encryption for Apache >> Cassandra (not on dse) tables and commilogs and store the keystore in kms >> or vault. If any of you already configured please direct me to documentation >> for it. > > > -- > Jon Haddad > http://www.rustyrazorblade.com <http://www.rustyrazorblade.com/> > twitter: rustyrazorblade
