Re: [CentOS] LUKS question
John Hodrien wrote: > On Wed, 13 Dec 2017, Kern, Thomas (CONTR) wrote: > >> If your requirement is for the entire system to be encrypted then I >> think the only is a system rebuild, but if you can convince management that a >> good compromise is encrypting only the applications and their data, you >> should be >> able to add encrypted storage, copy the sensitive files and wipe the old >> allocations. I have done this for a test system encrypting a MySQL >> database >> instance and a web server instance, in anticipation of an "encrypted at >> rest" directive coming down from management. > > How about: > > Add temporary storage, encrypted, set as a PV, add to VG. Rebuild > initramfs, > and reboot, confirming that it properly unlocks the storage as expected. > pvmove, delete internal PV and replace with encrypted PV, pvmove back? > > You'd hope that'd be quite tolerant of being interrupted in the middle. > > If you're happy that works, the same recipe should work without a reboot. > Or, as we're doing, make sure everyone's off, make a final full backup (I assume you're doing nightly backups), rebuild, then restore from backup. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LUKS question
On Wed, 13 Dec 2017, Kern, Thomas (CONTR) wrote: If your requirement is for the entire system to be encrypted then I think the only is a system rebuild, but if you can convince management that a good compromise is encrypting only the applications and their data, you should be able to add encrypted storage, copy the sensitive files and wipe the old allocations. I have done this for a test system encrypting a MySQL database instance and a web server instance, in anticipation of an "encrypted at rest" directive coming down from management. How about: Add temporary storage, encrypted, set as a PV, add to VG. Rebuild initramfs, and reboot, confirming that it properly unlocks the storage as expected. pvmove, delete internal PV and replace with encrypted PV, pvmove back? You'd hope that'd be quite tolerant of being interrupted in the middle. If you're happy that works, the same recipe should work without a reboot. jh ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LUKS question
If your requirement is for the entire system to be encrypted then I think the only is a system rebuild, but if you can convince management that a good compromise is encrypting only the applications and their data, you should be able to add encrypted storage, copy the sensitive files and wipe the old allocations. I have done this for a test system encrypting a MySQL database instance and a web server instance, in anticipation of an "encrypted at rest" directive coming down from management. -- Thomas Kern Senior VM Systems Programmer/Linux Systems Administrator Office of the Chief Information Officer On Contract to U.S. Department of Energy O: 301-903-2211 | M: 301-905-6427 thomas.k...@hq.doe.gov -- A subtlety of Murphy's Law: If it can go wrong, it already has, and you just haven't realized it yet. -Original Message- From: Wells, Roger K. [mailto:wel...@leidos.com] Sent: Tuesday, December 12, 2017 9:41 AM To: CentOS mailing list <centos@centos.org> Subject: [CentOS] LUKS question I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)? TIA -- Roger Wells, P.E. leidos 221 Third St Newport, RI 02840 401-847-4210 (voice) 401-849-1585 (fax) roger.k.we...@leidos.com ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LUKS question
On 12/12/2017 3:42 PM, Robert Nichols wrote: On 12/12/2017 08:41 AM, Wells, Roger K. wrote: I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)? You can do that with cryptsetup-reencrypt, but it needs to be able to make space for the ~2MB LUKS header ahead of the filesystem in the partition. That's a fairly risky operation -- shrinking the filesystem slightly and shifting it over. the whole reencrypt process is subject to complete failure if the system reboots partly through as there's no way to deal with partially encrypted and partially cleartext. An alternative is LUKS with a detached header, but maintaining that relationship is an administrative headache with a severe penalty for error. I'd say disk encryption in general is an admin headache with severe penalty for error. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LUKS question
On 12/12/2017 08:41 AM, Wells, Roger K. wrote: I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)? You can do that with cryptsetup-reencrypt, but it needs to be able to make space for the ~2MB LUKS header ahead of the filesystem in the partition. That's a fairly risky operation -- shrinking the filesystem slightly and shifting it over. An alternative is LUKS with a detached header, but maintaining that relationship is an administrative headache with a severe penalty for error. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LUKS question
On Tue, December 12, 2017 9:06 am, Christian, Mark wrote: > On Tue, 2017-12-12 at 09:41 -0500, Wells, Roger K. wrote: >> I have existing systems with un-encrypted disks. >> I have tried unsuccessfully to encrypt them using LUKS. >> Has anyone out there been able to encrypt an existing system (after the >> fact, so to speak)? > Using cryptsetup to create a LUKS encrypted disk will wipe all the data on > an > existing disk. This is easy to understand if one considers them as layers: and you can not sneak anything underneath existing layer, you can only put next layer on top of existing (first is without second is with encryption): physical or virtual disk --> filesystem physical or virtual disk --> encryption layer --> filesystem I hope, this helps. Valeri > > Mark > >> >> TIA >> > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LUKS question
On Tue, 2017-12-12 at 09:41 -0500, Wells, Roger K. wrote: > I have existing systems with un-encrypted disks. > I have tried unsuccessfully to encrypt them using LUKS. > Has anyone out there been able to encrypt an existing system (after the > fact, so to speak)? Using cryptsetup to create a LUKS encrypted disk will wipe all the data on an existing disk. Mark > > TIA > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] LUKS question
I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)? TIA -- Roger Wells, P.E. leidos 221 Third St Newport, RI 02840 401-847-4210 (voice) 401-849-1585 (fax) roger.k.we...@leidos.com ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
