Performing LUKS disk encryption for an added drive

This section describes the procedure for Linux Unified Key Setup (LUKS) disk encryption for an added drive. These instructions are applicable for a Discovery appliance where you want to move the datastore to a new disk that has Full Disk Encryption (FDE) enabled on RHEL or CentOS 7. In the following code examples, the new disk /dev/sdb is mounted on /mnt/disk2

Important

If you wish to encrypt an entire Virtual Appliance, or a specific partition, you should use the Kickstart DVD.

Before you begin

Ensure that the February 2019 OSU, or later, is installed because it has the libraries and applications required for the LUKS encryption.

To perform LUKS disk encryption for an added drive

  1. Perform the following steps to prepare the appliance for disk encryption.

    1. Run the following commands to stop the service:

      systemctl stop appliance.service
      systemctl stop cluster.service
      systemctl stop tideway-start.service
      systemctl stop tideway-stop.service

    2. Run the following commands to disable BMC Discovery services:

      systemctl disable tideway-start.service
      systemctl disable cluster.service
      systemctl disable appliance.service
      systemctl disable tideway-stop.service

    3. Perform the following additional tasks to complete the preparation of the appliance:
      1. Shut down the appliance.
      2. Add the new disk.
      3. Restart the appliance.

  2. Optional: Run the following command to obfuscate the disk or partition:

    Note

    You can obfuscate the disk or partition by using /dev/random or /dev/urandom but this could take a long time. The shred command is a faster but less secure alternative. Zeroing the entire disk is also a possibility. The following command acts for the whole disk, but you can perform it on a specific partition if required.

    shred -v --iterations 1 /dev/sdb

  3. Run the fdisk command to create a new primary partition /dev/sdb1 using all the space available:

    # fdisk /dev/sdb
    > n (create new partition)
    > p (type of partition: primary)
    > 1 (number of partition: 1)
    > <ENTER> (hit enter to use default sizing - from the beginning of the disk)
    > <ENTER> (hit enter to use default sizing - to the end of the disk)
    > w (to write changes and exit)
  4. Initialize the partition in any of the following ways:

    • Run the following command for selecting default values:

      cryptsetup --verify-passphrase luksFormat /dev/sdb1

    • Alternatively, run the following command for customizing the ciphers and keys:

      cryptsetup --verify-passphrase --cipher <cipher-mode-iv> --key-size <key-size> luksFormat /dev/sdb1

      For more information about ciphers and keys, see this article.

  5. To open the encrypted device and make it available to the device mapper, do the following:

    1. Run the following command:

      cryptsetup luksOpen /dev/sdb1 datastore

      Note

      The name datastore is used to denote the device name that will appear in the device mapper.

      Executing the command should now create: /dev/mapper/datastore

    2. To confirm this, enter the following command:

      # ls -la /dev/mapper/datastore

      The following is a sample output:

      lrwxrwxrwx. 1 root root 7 Mar 21 16:10 /dev/mapper/datastore -> ../dm-0

  6. Run the following command to format the file system:

    mkfs.ext4 /dev/mapper/datastore

  7. Run the following command to create the mount point and mount the file system:

    mkdir /mnt/disk2
    mount /dev/mapper/datastore /mnt/disk2
    chown tideway:tideway /mnt/disk2

  8. To allow the encrypted partitions to be opened at boot, create the file /etc/crypttab (if it does not exist) and run the following command:

    echo "datastore /dev/sdb1 none" >> /etc/crypttab

  9. To allow mounting at boot time, modify /etc/fstab and add the following entry (see existing entries for line-up):

    /dev/mapper/datastore /mnt/disk2 ext4 defaults 1 2
  10. To update the datastore linking to point to the new location, modify /usr/tideway/etc/link.conf to point the datastore data and logs to the correct location.

    • Update the DATA_PHYSICAL and LOGS_PHYSICAL variables so that they are set to /mnt/disk2/data and /mnt/disk2/logs. For example:

      #== Core Datastore Files Location ============================================
      DATA_LOGICAL="${TIDEWAY}/var/tideway.db/data"
      DATA_PHYSICAL="/mnt/disk2/data"

      #== Datastore Log Files Location =============================================
      LOGS_LOGICAL="${TIDEWAY}/var/tideway.db/logs"
      LOGS_PHYSICAL="/mnt/disk2/logs"

  11. Optional: If you have an existing datastore, you will need to move it to an encrypted disk. To achieve this, run the following commands:

    cd /usr/tideway/var/localdisk/tideway.db
    cp -Ra data logs /mnt/disk2
  12. Reboot the system to make sure that the mounting and other tasks are done correctly. The boot sequence prompts you for the passphrase. Keep your passphrase ready. If the reboot worked as expected, a mount command will show /dev/sdb1 on /mnt/disk2 of type ext4.

  13. Run the following commands to enable the BMC Discovery services:

    systemctl enable appliance.service
    systemctl enable cluster.service
    systemctl enable tideway-start.service
    systemctl enable tideway-stop.service

  14. Reboot again.

    Note

    If the existing datastore data is not present, the model service will re-initialize in the new location.

To confirm if the process was successful from the BMC Discovery configuration perspective, log into the BMC Discovery UI. If the UI is operational, the process has succeeded.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*