Please enable javascript, or click here to visit my ecommerce web site powered by Shopify.

Community Forum > Encrypting with LUKS

Is it possible to encrypt a QuantaStor Volume at the OS level with LUKS (or some other tool)?

August 26, 2014 | Registered CommenterBrad DesAulniers

Yes, we've just added support for LUKS encryption in the upcoming version v3.13. It does require running some commands at the command line but we plan to make it all configurable via the web interface in a follow-on release. In version v3.13 there are a series of new commands added to the qs-util utility. They are as follows:


Device Encryption Commands
qs-util cryptformat <device> [keyfile] : Enrypts the specified device using LUKS format, generates key if needed.
qs-util cryptopen <device> : Opens the specified LUKS encrypted device.
qs-util cryptclose <device> : Closes the specified LUKS encrypted device.
qs-util cryptdestroy <device> : Closes the LUKS device and deletes the keys and header backups.
qs-util cryptswap <device> : Enables swap device encryption, updates /etc/fstab and /etc/crypttab.

For the most part you're only going to need to use the cryptformat and the cryptswap commands. To change your swap device over to an encrypted swap device you just type:

qs-util cryptswap

To turn some of your unused disk devices (sdc, sdd, sde) into encrypted devices you'll run commands like this:


qs-util cryptformat /dev/sdc
qs-util cryptformat /dev/sdd
qs-util cryptformat /dev/sde

Next you'll need to use the 'Scan for Disks...' option in the Physical Disks section of the web user interface for the new dm-name-enc-scsi-* devices to appear. You can then create new Storage Pools from these devices. The above noted scripts will place your key files in /etc/cryptconf/keys, header backups into /etc/cryptconf/headers and it automatically sets up the /etc/crypttab file for you. If you want to get the keys off of the boot/system drive you can do that to your liking. You don't have to use the crypttab file, you can use any script or other process you'd like to open the encryption devices at boot time such as pulling them from a network key service, pulling network share, running something special in rc.local, etc. We only provide the basic setup so if you need something more complex you can do that but be sure to test your changes thoroughly and reboot the box a couple of times to make sure any custom changes you make are all in good order. (And don't forget to make offline backups of your keys and headers too! :-) ).
Best,
-Steve

September 11, 2014 | Registered CommenterSteve

One other note here, you cannot take a device that has data on it and then convert it to using encryption. You can only do the 'qs-util cryptformat' on unused disk devices. If you run it on a disk with data it will overwrite the first couple of megabytes of the disk which will corrupt whatever filesystem is on there. So be sure to only do a cryptformat on unused devices.
Best,
-Steve

September 11, 2014 | Registered CommenterSteve

Hi Brad, we now have documentation for the new software encryption support available on our Wiki pages here.

September 15, 2014 | Registered CommenterSteve

Hi Steve, Is this encryption capability available with QS under Softlayer ?

January 21, 2015 | Unregistered CommenterRB

Hello RB,

Yes, this feature is available with the Cloud Edition licenses at SoftLayer.

For more information on how you can use the Software Encryption feature in the SoftLayer environment, please reach out to the SoftLayer team via your SoftLayer account at http://control.softlayer.com

Thank You,
Chris Golden
OSNEXUS support.

January 21, 2015 | Registered CommenterChris Golden

Question: after enabling the encryption on a drive, Is there a way to list which cipher and key size have been used to encrypt the drive ? I cannot find anything about this on your wiki...
FYI - I did follow your procedure // howto at : http://wiki.osnexus.com/index.php?title=QuantaStor_Administrators_Guide#Software_Encryption

Example with cryptsetup on another server:
cryptsetup -v status /dev/mapper/encrypted-vg--data-ephemeral0
/dev/mapper/encrypted-vg--data-ephemeral0 is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg--data-ephemeral0
offset: 4096 sectors
size: 4648960 sectors
mode: read/write
Command successful.

trying to do the same with my Quantastor server @ Softlayer...

root@QuantaStor-1:~# cryptsetup -v status /dev/disk/by-id/dm-name-enc-scsi-3600605b00acb66501e325c32444c47e0
/dev/disk/by-id/dm-name-enc-scsi-3600605b00acb66501e325c32444c47e0 is active and is in use.
Device /dev/sdb is not a valid LUKS device.
Command successful.

February 15, 2016 | Registered CommenterMarc Jutras

Hello Marc,

The default cipher and keysize on current QuantaStor releases is below:

cipher: aes-cbc-essiv:sha256
keysize: 256 bits

'cryptsetup -v status DISKNAME' is the correct command to query for the encrypted disks status.

Can you provide detail on what QuantaStor release you are running with the 'qs -v' command as well as the output from the 'cryptsetup --version' command?

Thank You,
Chris Golden
OSNEXUS SUpport.

February 15, 2016 | Registered CommenterChris Golden

for DISKNAME : do you mean : enc-scsi-3600605b00acb66501e325c5a4707a565 ? or sdb ? I try both and nothing better...

root@QuantaStor-1:~# qs -v

OSNEXUS QuantaStor CLI 3.16.5.9489
Copyright (c) 2009-2015 OSNEXUS Corporation. All rights reserved.

root@QuantaStor-1:~# cryptsetup -v status sdd
/dev/mapper/sdb is inactive.
Command failed with code 19: No such device

root@QuantaStor-1:~# ls /dev/mapper/
control enc-scsi-3600605b00acb66501e325c5a4707a565 enc-scsi-3600605b00acb66501e325c864a043187 enc-scsi-3600605b00acb66501e325cc44e0abb83
enc-scsi-3600605b00acb66501e325c32444c47e0 enc-scsi-3600605b00acb66501e325c6747f68952 enc-scsi-3600605b00acb66501e325c9b4b9a71af enc-scsi-3600605b00acb66501e325cd14ecce603
enc-scsi-3600605b00acb66501e325c4e4618f589 enc-scsi-3600605b00acb66501e325c7c4933dcf7 enc-scsi-3600605b00acb66501e325cb94d657c45 enc-scsi-3600605b00acb66501e325ce65047af36

root@QuantaStor-1:~# cryptsetup -v status enc-scsi-3600605b00acb66501e325c5a4707a565
/dev/mapper/enc-scsi-3600605b00acb66501e325c5a4707a565 is active and is in use.
Device /dev/sdd is not a valid LUKS device.
Command successful.

root@QuantaStor-1:~# cryptsetup --version
cryptsetup 1.4.1


Thanks !

February 15, 2016 | Registered CommenterMarc Jutras

Hello Marc,

Have there been any changes to the hardware configuration on your deployment that may have changed the disk ID's?

Are you sure the disk device is formatted as a LUKS device and is decrypted?

cryptsetup -v luksDump /dev/sdd
qs-util cryptopen /dev/sdd


Thank You,
Chris Golden
OSNEXUS Support

February 15, 2016 | Registered CommenterChris Golden

Hi Chris,

No changes on the hardware that I'm aware of... no tck from Softlayer about this too...

Here is what I did to enable LUKS...

qs-util devicemap ( list all device )
qs-util cryptformat /dev/sdb
qs-util cryptformat /dev/sdc
qs-util cryptformat /dev/sdd
qs-util cryptformat /dev/sde
qs-util cryptformat /dev/sdf
qs-util cryptformat /dev/sdg
qs-util cryptformat /dev/sdh
qs-util cryptformat /dev/sdi
qs-util cryptformat /dev/sdj
qs-util cryptformat /dev/sdk
qs-util cryptformat /dev/sdl

that generate the config for crypttab, keys, etc...

root@QuantaStor-1:~# cat /etc/crypttab
# <target name> <source device> <key file> <options>
enc-scsi-3600605b00acb66501e325c32444c47e0 /dev/disk/by-id/scsi-3600605b00acb66501e325c32444c47e0 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c32444c47e0.key luks
enc-scsi-3600605b00acb66501e325c4e4618f589 /dev/disk/by-id/scsi-3600605b00acb66501e325c4e4618f589 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c4e4618f589.key luks
enc-scsi-3600605b00acb66501e325c5a4707a565 /dev/disk/by-id/scsi-3600605b00acb66501e325c5a4707a565 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c5a4707a565.key luks
enc-scsi-3600605b00acb66501e325c6747f68952 /dev/disk/by-id/scsi-3600605b00acb66501e325c6747f68952 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c6747f68952.key luks
enc-scsi-3600605b00acb66501e325c7c4933dcf7 /dev/disk/by-id/scsi-3600605b00acb66501e325c7c4933dcf7 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c7c4933dcf7.key luks
enc-scsi-3600605b00acb66501e325c864a043187 /dev/disk/by-id/scsi-3600605b00acb66501e325c864a043187 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c864a043187.key luks
enc-scsi-3600605b00acb66501e325c9b4b9a71af /dev/disk/by-id/scsi-3600605b00acb66501e325c9b4b9a71af /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c9b4b9a71af.key luks
enc-scsi-3600605b00acb66501e325cb94d657c45 /dev/disk/by-id/scsi-3600605b00acb66501e325cb94d657c45 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325cb94d657c45.key luks
enc-scsi-3600605b00acb66501e325cc44e0abb83 /dev/disk/by-id/scsi-3600605b00acb66501e325cc44e0abb83 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325cc44e0abb83.key luks
enc-scsi-3600605b00acb66501e325cd14ecce603 /dev/disk/by-id/scsi-3600605b00acb66501e325cd14ecce603 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325cd14ecce603.key luks
enc-scsi-3600605b00acb66501e325ce65047af36 /dev/disk/by-id/scsi-3600605b00acb66501e325ce65047af36 /etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325ce65047af36.key luks

Then I go back to the web interface and did a drive scan... all drive are now showing as enc-scsi-*
I create 2 new Storage pools : one with fast drive ( SSD drive : sdb to sdf ) and another one with slow drive ( 7.2k RPM SAS drive sdg to sdl ) and format both in ZFS with compression enable...
VM are already working on it via iSCSI and NFS ( connected to CloudStack / XenServer )

Everything is up, each drive are reported as encrypted in the web interface, just don't know why I can't get that info via the cryptsetup command... or maybe I can't because it's already in use or formatted with ZFS + compression ?? ...

so... at that point, I'm clueless ! :)
- -
root@QuantaStor-1:~# cryptsetup -v luksDump /dev/sdd
Device /dev/sdd is not a valid LUKS device.
Command failed with code 22: Device /dev/sdd is not a valid LUKS device.

root@QuantaStor-1:~# qs-util cryptopen /dev/sdd
INFO: /dev/sdd == /dev/disk/by-id/scsi-3600605b00acb66501e325c5a4707a565
INFO: No keyfile path specified, using default path '/etc/cryptconf/keys/enc-scsi-3600605b00acb66501e325c5a4707a565.key'.
INFO: Encrypted device '/dev/disk/by-id/dm-name-enc-scsi-3600605b00acb66501e325c5a4707a565' already exists, LUKS device already opened.

root@QuantaStor-1:~# cryptsetup -v status /dev/disk/by-id/dm-name-enc-scsi-3600605b00acb66501e325c5a4707a565
/dev/disk/by-id/dm-name-enc-scsi-3600605b00acb66501e325c5a4707a565 is active and is in use.
Device /dev/sdd is not a valid LUKS device.
Command successful.

February 15, 2016 | Registered CommenterMarc Jutras

Hello Marc,

Thank you for the detail.

It sounds like the devices are showing as having no LUKS formatting from your command outputs.

As this is not a community edition, can you please contact our support team at support@osnexus.com for direct assistance?

Thank You,
Chris Golden
OSNEXUS Support

February 15, 2016 | Registered CommenterChris Golden

thanks for your help, I will contact the support team...

Regards,

February 15, 2016 | Registered CommenterMarc Jutras