Re: LUKS question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



John Hodrien wrote:
> On Wed, 13 Dec 2017, Kern, Thomas (CONTR) wrote:
>
>> If your requirement is for the entire system to be encrypted then I
>> think the only is a system rebuild, but if you can convince management
that a
>> good compromise is encrypting only the applications and their data, you
>> should be
>> able to add encrypted storage, copy the sensitive files and wipe the old
>> allocations. I have done this for a test system encrypting a MySQL
>> database
>> instance and a web server instance, in anticipation of an "encrypted at
>> rest" directive coming down from management.
>
> How about:
>
> Add temporary storage, encrypted, set as a PV, add to VG.  Rebuild
> initramfs,
> and reboot, confirming that it properly unlocks the storage as expected.
> pvmove, delete internal PV and replace with encrypted PV, pvmove back?
>
> You'd hope that'd be quite tolerant of being interrupted in the middle.
>
> If you're happy that works, the same recipe should work without a reboot.
>
Or, as we're doing, make sure everyone's off, make a final full backup (I
assume you're doing nightly backups), rebuild, then restore from backup.

    mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux