git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure data


Hi Jon,

Was trying the LUKS  encryption following the Doc. https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/ on ec2 i3.large machine.
i don’t see the disk mounted.  and see the mapper being at 100%. do you see anything wrong following below statements.
i see this error is /var/log/messages
 ERROR [instanceID=i-0de508d7fc188ab20] [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations NoCredentialProviders: no valid providers in chain. Deprecated

df -h /dev/mapper/
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        7.5G  7.5G     0 100% /dev

#!/bin/bash

## Initial setup to be executed on boot
##====================================

# Create an empty file. This file will be used to host the file system.
# In this example we create a 2 GB file called secretfs (Secret File System).
dd of=secretfs bs=1G count=0 seek=2
# Lock down normal access to the file.
chmod 600 secretfs
# Associate a loopback device with the file.
losetup /dev/nvme0 secretfs
#Copy encrypted password file from S3. The password is used to configure LUKE later on.
# Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/secretfs.
# Initialize the volume and set an initial key.
echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/nvme0
# Open the partition, and create a mapping to /dev/mapper/secretfs.
echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/nvme0 secretfs
# Clear the LuksClearTextKey variable because we don't need it anymore.
unset LuksClearTextKey
# Check its status (optional).
cryptsetup status secretfs
# Zero out the new encrypted device.
dd if=/dev/zero of=/dev/mapper/secretfs
# Create a file system and verify its status.
mke2fs -j -O dir_index /dev/mapper/secretfs
# List file system configuration (optional).
tune2fs -l /dev/mapper/secretfs
# Mount the new file system to /data_e/secretfs.
sudo mkdir /data_e/secretfs
sudo mount /dev/mapper/secretfs /data_e/secretfs


On Aug 1, 2018, at 3:38 PM, Jonathan Haddad <jon@xxxxxxxxxxxxx> wrote:

You can also get full disk encryption with LUKS, which I've used before.

On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa <jjirsa@xxxxxxxxx> wrote:
EBS encryption worked well on gp2 volumes (never tried it on any others)

-- 
Jeff Jirsa


On Aug 1, 2018, at 7:57 AM, Rahul Reddy <rahulreddy1234@xxxxxxxxx> wrote:

Hello,

Any one tried aws ec2 volume encryption for Cassandra instances?

On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy <rahulreddy1234@xxxxxxxxx> wrote:
Hello,

I'm trying to find a good document on to enable encryption for Apache Cassandra  (not on dse) tables and commilogs and store the keystore in kms or vault. If any of you already configured please direct me to documentation for it.


--
Jon Haddad
http://www.rustyrazorblade.com
twitter: rustyrazorblade



( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache-cassandra-users/msg06704.html on line 71
Call Stack
#TimeMemoryFunctionLocation
10.0007372616{main}( ).../msg06704.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache-cassandra-users/msg06704.html on line 71
Call Stack
#TimeMemoryFunctionLocation
10.0007372616{main}( ).../msg06704.html:0