As mentioned, you'll gain no additional security while the volume since anyone who can log into the machine and switch to the root/puppet users will be able to access said data.
However there are solutions which provide encryption and fine grained access control which remove the ability for any "unauthorized" process to access your data, such as the root user. I use one of these solutions to "protect" ePHI, but am not a fan of it so wont' promote it on this list but ping me off list if you're interested. Personally I'd never use it for my puppet data/config and would think there are other ways of ensuring it's integrity. -- Later, Darin On Wed, Aug 20, 2014 at 1:18 PM, Brian Mathis <[email protected]> wrote: > The only way to mount an encrypted volume on boot is if the password is > stored somewhere on the server itself, such as in /etc/crypttab. Maybe you > could come up with a system that uses ssh to login and "manually" mount the > volume with a password after the system is booted. > > One thing to be aware of is that disk encryption at this level provides no > additional security within the system -- anyone logged in can see and access > all the files (subject to standard file permissions). It does help with > data on the underlying disk, which is only really of use when the machine is > completely turned off, protecting it from an administrator on the VM host > (though they would have full access to your system anyway), or from a SAN > admin. > > > ❧ Brian Mathis > @orev > > > On Wed, Aug 20, 2014 at 1:07 PM, Eugene Sapozhnikov <[email protected]> > wrote: >> >> I have been given a project to secure our client hosts. >> >> One of the requirements was to setup an encrypted volume and mount it over >> /var/puppet/lib . >> >> the other requirement was to have the encryption key reside only on the >> puppet master. >> >> I have been able to use cryptsetup to have puppet configure and mount the >> encrypted volume successfully. >> >> But I am running into a roadblock when the client server reboots and the >> volume is unmounted. I can't use puppet to mount the volume as the puppet >> agent will not connect successfully without the /var/lib/puppet being >> mounted so it can use original SSl cert. >> >> >> Wanted to see if anyone here have tried any similar setups to what i am >> trying to achieve. >> >> >> Thanks. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/a532006d-e3cd-4c1b-bd6f-91a388e68fb0%40googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CALKwpEz7kjusMxbqGPDv%2B10u-AwHd2O_xvfMVVvgyweYJjQPrw%40mail.gmail.com. > > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADaviKshwO4sb85qthN7ATJbgtjegpMWCwUizDQ%2BN6o1PnZ9%2Bw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
