Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.

Encrypt all data at rest #150

Closed
rmkraus opened this issue Jul 2, 2021 · 2 comments
Closed

Encrypt all data at rest #150

rmkraus opened this issue Jul 2, 2021 · 2 comments
Assignees
@rmkraus
Labels
customer-request enhancement New feature or request

Comments

@rmkraus
Copy link
Member

rmkraus commented Jul 2, 2021

Drive encryption on OCP:

You can encrypt root disks with TPM modules using LUKS and your choice of cipher (so easy to hit FIPS 140-X compliance). The MachineConfig looks like this:
https://docs.openshift.com/container-platform/4.7/installing/install_config/installing-customizing.html#installation-special-config-encrypt-disk-tpm2_installing-customizing

There is little to no documentation around doing it in Ignition, but it can be done. Presumably this will be exposed via install-config.yaml at some point, but it's not yet. This is important because using TPM to encrypt root disks on masters means you get free etcd encryption (it's like a 2-3% overhead on the disks, barely noticable). Free etcd encryption means that keeping encryption keys for other things in etcd works - so you can use regular Secrets.

https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.7/html-single/deploying_openshift_container_storage_using_bare_metal_infrastructure/index#creating-openshift-container-storage-cluster-on-bare-metal_rhocs

Here's how to set up encryption for OCS. I would personally recommend cluster-wide encryption, as this encrypts the block device from the Local Storage Operator entirely, and then lays the bluestore on top of that encrypted volume. You don't need to use an external key management service if etcd is encrypted via TPM-backed root disk encryption on masters.

Two things to note about this setup:
If you wipe or lose OpenShift, you lose the LUKS keys to your Ceph volumes. If the data has a chance of being more important to the workload/application than the cluster itself, then you should ensure you have a good, safe, etcd backup - or at least that you export those LUKS secrets and keep them somewhere safe.

If you don't use TPM-backed encryption, but do use LUKS on the root disks, you will require an external security key (can just be a flash drive) or a password to reboot.
@rmkraus rmkraus added enhancement New feature or request customer-request labels Jul 2, 2021
@rmkraus rmkraus self-assigned this Jul 9, 2021
rmkraus added a commit that referenced this issue Jul 9, 2021
@rmkraus
Added disk encryption by default.
f592742 
1) Added templates to openshift-installer role to encrypt all disks by
   default. Even the container cache disks. This encryption will use the
   node's TPM 2.0 module and require that it be enabled on all clusters.
   This is not an optional setting.
2) Updated the options for the ODF cluster to enable cluster wide
   encryption. The encryption key is stored in the etcd database.
   Becuase the OS disks are encrypted, this means that the Ceph
   encryption key will also be encrypted at rest.

This works towards #150
@rmkraus
Copy link
Member Author

rmkraus commented Jul 10, 2021
edited
Loading

Installing a tang server

  1. dnf install tang
  2. replace port in /usr/lib/systemd/system/tangd.socket, using 8082
  3. semanage port -a -t tangd_port_t -p tcp 8082
  4. systemctl enable tangd.socket --now
  5. firewall-cmd --zone=internal --add-port=8082/tcp --permanent
  6. create thumbprint
echo nifty random wordwords \
>      | clevis-encrypt-tang \
>        '{"url":"http://192.168.8.1:8082"}'
  1. put thumbprint in encryption config.

rmkraus added a commit that referenced this issue Jul 11, 2021
@rmkraus
Changed encryption style to tang instead of tpm.
16f73f5 
TPM encryption cipher support can be very hardware dependent and require
very particular BIOS configurations. Additionally, for edge equipment,
it is not a particularly safe option either.

Tang encryption will be used so all the keys can be stored on the
bastion and the installer reliably install encryption on the nodes.

This works toward #150
rmkraus added a commit that referenced this issue Jul 11, 2021
@rmkraus
150 encrypt data (#154)
0baf05c 
* Added disk encryption by default.

1) Added templates to openshift-installer role to encrypt all disks by
   default. Even the container cache disks. This encryption will use the
   node's TPM 2.0 module and require that it be enabled on all clusters.
   This is not an optional setting.
2) Updated the options for the ODF cluster to enable cluster wide
   encryption. The encryption key is stored in the etcd database.
   Becuase the OS disks are encrypted, this means that the Ceph
   encryption key will also be encrypted at rest.

This works towards #150

* Changed encryption style to tang instead of tpm.

TPM encryption cipher support can be very hardware dependent and require
very particular BIOS configurations. Additionally, for edge equipment,
it is not a particularly safe option either.

Tang encryption will be used so all the keys can be stored on the
bastion and the installer reliably install encryption on the nodes.

This works toward #150
@rmkraus
Copy link
Member Author

rmkraus commented Jul 12, 2021

released in 4.7.2

@rmkraus rmkraus closed this as completed Jul 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rmkraus rmkraus

Labels
customer-request enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rmkraus