Re: LUKS question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 13 Dec 2017, Kern, Thomas (CONTR) wrote:

If your requirement is for the entire system to be encrypted then I think
the only is a system rebuild, but if you can convince management that a good
compromise is encrypting only the applications and their data, you should be
able to add encrypted storage, copy the sensitive files and wipe the old
allocations. I have done this for a test system encrypting a MySQL database
instance and a web server instance, in anticipation of an "encrypted at
rest" directive coming down from management.

How about:

Add temporary storage, encrypted, set as a PV, add to VG.  Rebuild initramfs,
and reboot, confirming that it properly unlocks the storage as expected.
pvmove, delete internal PV and replace with encrypted PV, pvmove back?

You'd hope that'd be quite tolerant of being interrupted in the middle.

If you're happy that works, the same recipe should work without a reboot.

jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux