System Encryption and/or LVM


#1

RancherOS Support/Forum Members:

I wish to throw down the following, have ideas how already, and will be trying regardless if advised otherwise:

RancherOS->(LVM)->LUKS->bare metal, using cryptsetup->dm-crypt and maybe LVM.

Any advice before I start?

Looking forwward to replies,
Matthew


RancherOS release schedule
#2

Hi,

Sorry not to have the answer.

I ask the same feature request for the following: Bare metal > LUKS > Btrfs > RancherOS

CoreOS does not support LUKS: https://github.com/coreos/bugs/issues/261
RancherOS does not support LUKS too: https://twitter.com/Rancher_Labs/status/634507078825025536

It seems that I will use classic GNU/Linux operating systems for my servers… :’(


#3

@HLFH RancherOS v0.4 should allow LUKS. Let me test that. We are currently in the process of releasing v0.4 so it’s not ready for prime time, The way we support these different storage options is through a “Bring Your Own Storage Userspace” paradigm. We don’t natively package any LVM or LUKS tools. This means you would create a docker image that mounts the LUKS device (and btrfs).

RancherOS runs two docker daemons. System Docker and User Docker. System Docker runs some core processes (like udev, dhcp, syslog) that are for the OS. User docker is then what regular users use. The partition that runs system docker will be hard to encrypt but shouldn’t have user data in it. The User Docker can be setup to run off of an encryption block device.

@HLFH Once RancherOS v0.4 is out (expected to be the 26th) I’ll gladly work with you on figuring out some solution for LUKS. If it won’t work, we’ll fix it.


#4

Darren:

Thank you very much for the reply. I’m looking forward to trying v0.4.

Creating a docker image having LVM/LUKS was an approach I was going to take, and run it as a system-docker container during the installation process running rancheros in memory. I’m guessing this should be FROM scratch, or is there a rancheros system-docker image FROM which they can/should be generated? There didn’t appear to be anything on Docker Hub.

It would be best to do full system encryption as there could also be sensitive data there. This is really the goal and why LVM over LUKS seems the way to go.

Thank you for offering to work together on this. Please advise further if you think of anything else.

Looking forward to your reply,
Matthew


#5

I’m also interested in this feature and I’m available to help development :wink:


#6

Shakisha:

 Thanks for interest, participating in the forum, and offering to collaborate on dev.

 I need to catch up on and install the latest version, note the process, and consider approaches.

 Please share your thoughts further.

 BTW... in what timezone are you?  I'm in JST.

Matthew


#7

Is LUKS now supported by RancherOS?


#9

So the thing I keep running into with any secret/encryption/vault tech is the need to actually store all the keys and passwords and secrets to access the secrets in plain text right next to the thing that is supposed to be encrypted…

Vault - put keys in ENV, person with access to host has access to ENV, thus all secrets exposed - not secure
LUKS - server won’t start without key, put key in boot accessible area so can start, person has access to host, all secrets exposed - not secure

I am assuming there must be a way to block everything from working until key has been entered, however this makes it difficult to provide the key when you are located in Australia and the system in a datacentre in America with no ipmi/kvm…

Hopefully someone puts up a recipe that achieves the following:

  1. Physical access to host, no secrets exposed unless key/secret is known
  2. System boots into ssh able state so key can be provided to continue boot/startup
  • key/secret needs to be scrubbed from memory or otherwise unavailable from physical host access
  • logging into console at physical host should not grant access to running systems encrypted content, ie should have to provide key/secret again to access anything (is this even possible?)
  • Sacrificing availability in the event of system failure for actual secure data is wanted - mitigate this with proper High Availability strategies

It really does seem like that RancherOS is perfect for this since there is the whole System Docker AND Docker. System docker starts enough system containers to get to a SSH accessible system, then manual intervention to unlock the encrypted storage and continue startup of Docker.

Looking forward to figuring this out :smiley:


#10

Now it is fully implemented and tested in production in my fork https://github.com/tetatetit/os


#11

I was wondering if disk encryption is supported by RancherOS now. I came across this PR on Github https://github.com/rancher/os/pull/2545 and it looks to be adding support for LVM and LUKS but I can’t get it working following the instructions in the PR.