AWS I3 Instance ephermal Volume Encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I’m new to Luks Encryption please bear with me . I’m trying to test on was ec2 i3.large machine. I’m trying to encrypt the entire  /dev/nvem0n1 volume.


these are the steps i followed. 
# Set readahead
yes | blockdev --setra 65536 /dev/nvme0n1


## LUKS
#Get the aws keys

# Store the ciphertext in /etc/.luks
passphrase=$(aws —region myregion kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)

# Format the RAID device
echo $passphrase |sudo cryptsetup luksFormat /dev/nvme0n1

# Get the UUID
UUID=$(sudo cryptsetup luksUUID /dev/nvme0n1)

# Open the encrypted volume
echo "$passphrase" |sudo cryptsetup luksOpen UUID=${UUID} cassandra

# the passphrase is no longer needed
unset passphrase

# Do Filesystem stuff
yes | sudo mkfs.ext4 /dev/mapper/cassandra
sudo mkdir -p /data_e
sudo mount /dev/mapper/cassandra /data_e

lsblk shows as my volume encrypted.

lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
xvda        202:0    0    25G  0 disk  
└─xvda1     202:1    0    25G  0 part  /
nvme0n1     259:0    0 442.4G  0 disk  
└─cassandra 253:0    0 442.4G  0 crypt /data_e

 blkid /dev/nvme0n1 
/dev/nvme0n1: UUID=“maid" TYPE=“crypto_LUKS”

df -h /data_e
Filesystem             Size  Used Avail Use% Mounted on
/dev/mapper/cassandra  436G  118M  414G   1% /data_e

as shown above /data_e is encrypted volume.
i have created directories /data_e/mydb/data/loadtest/  and my database created the files over there with mc-51-big-*. 

I have following questions:
1) from above steps i’m i doing it correct
2) since /data_e volume is encrypted means all my  directories and files under /data_e are encrypted as well?
3) if i try to scp those files to my laptop wouldn’t it look for key (i tired it didn’t ask for it) 
4)I also tried to copy those files to different server where i don’t have encryption and tried restore. it worked fine. my expectations was it should ask the password it didn’t ask for it.
5) not sure what exactly its encrypting if it lets copy my files and restore in different server without asking the key.
6) for Any reason in the future if want to rollback encryption what is the best practice for it.
7)if i lost my kms key. volume is unusable or any way to retrieve back?

Thanks






_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux