Experiment with Linux Unified Key Setup (LUKS) which is a specification for block device encryption. Here we will try to encrypt a logical volume and then have xfs filesystem on it to serve GlusterFS bricks.
Create block devices you want to encrypt:
[root@localhost ~]# pvcreate --dataalignment 2560k /dev/vdb
Physical volume "/dev/vdb" successfully created
[root@localhost ~]# vgcreate RHS_vg1 /dev/vdb
Volume group "RHS_vg1" successfully created
[root@localhost ~]# lvcreate -l 100%FREE -n RHS_lv1 RHS_vg1
Logical volume "RHS_lv1" created
Format the device as a dm-crypt/LUKS encrypted device
[root@localhost ~]# cryptsetup luksFormat /dev/mapper/RHS_vg1-RHS_lv1
WARNING!
========
This will overwrite data on /dev/mapper/RHS_vg1-RHS_lv1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
[root@localhost ~]#
[root@localhost ~]# cryptsetup isLuks /dev/mapper/RHS_vg1-RHS_lv1 && echo success
success
To see a summary of the encryption information for the device
[root@localhost ~]# cryptsetup luksDump /dev/mapper/RHS_vg1-RHS_lv1
LUKS header information for /dev/mapper/RHS_vg1-RHS_lv1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 37 41 be c4 72 8f 57 a4 35 0d 4b 97 7d de 8e 86 40 a8 bb 99
MK salt: 12 ab 41 2c ee 8f 96 f7 8b 5d b4 b9 49 99 ad 9d
39 3a bd 77 a3 cd 03 d6 3b bf 31 20 2c 01 d9 1a
MK iterations: 24250
UUID: 6f2db449-7096-4f59-a4f2-ccd3d6b30216
Key Slot 0: ENABLED
Iterations: 97366
Salt: b3 d7 06 16 8b 2e 6a 4b bd 11 60 c7 71 e2 0e 9d
34 72 b1 91 24 17 39 fe bc bf 0b b0 a5 05 05 5e
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
[root@localhost ~]#
[root@localhost ~]# cryptsetup luksOpen /dev/mapper/RHS_vg1-RHS_lv1 bricks
Enter passphrase for /dev/mapper/RHS_vg1-RHS_lv1:
[root@localhost ~]#
[root@localhost ~]# dmsetup info bricks
Name: bricks
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 0
Major, minor: 253, 4
Number of targets: 1
UUID: CRYPT-LUKS1-6f2db44970964f59a4f2ccd3d6b30216-bricks
[root@localhost ~]#
Formatting the disk with xfs filesystem and mounting on a directory that would serve as a basedir for GlusterFS bricks.
[root@localhost ~]# mkfs.xfs -i size=512 /dev/mapper/bricks
[root@localhost ~]# mkdir -p /rhs/bricks
[root@localhost ~]# mount /dev/mapper/bricks /rhs/bricks/
Mapping information to /etc/crypttab
/etc/crypttab:
bricks /dev/mapper/RHS_vg1-RHS_lv1 noneUpdating /etc/fstab
/dev/mapper/bricks /rhs/bricks xfs defaults 1 2Verifying:
reboot:
Setting hostname localhost.localdomain: [ OK ]
device-mapper: multipath: version 1.5.0 loaded
Setting up Logical Volume Management: 1 logical volume(s) in volume group "RHS_vg1" now active
2 logical volume(s) in volume group "VolGroup" now active
[ OK ]
Enter passphrase for /dev/mapper/RHS_vg1-RHS_lv1:
(Enter passphrase to continue)
[root@localhost ~]# blkid -o full
/dev/vda1: UUID="4f42eeb2-3a08-4efe-afd6-749be6e027f2" TYPE="ext4"
/dev/vda2: UUID="32e98b72-cd13-4195-b16b-054827775c6c" TYPE="crypto_LUKS"
/dev/vdb1: UUID="RdGJcQ-FH9o-oPqo-yBON-0WNy-lOCE-xx0X0w" TYPE="LVM2_member"
/dev/mapper/luks-32e98b72-cd13-4195-b16b-054827775c6c: UUID="3sB1VE-go5j-oBMW-U5tV-A0m6-CJtJ-Rg674c" TYPE="LVM2_member"
/dev/mapper/VolGroup-lv_root: UUID="68773eaa-0cba-4f1d-ac3e-a5b98c905bcc" TYPE="ext4"
/dev/mapper/VolGroup-lv_swap: UUID="0549be15-4779-4c65-a6f1-8d2433d217f8" TYPE="swap"
/dev/mapper/RHS_vg1-RHS_lv1: UUID="6f2db449-7096-4f59-a4f2-ccd3d6b30216" TYPE="crypto_LUKS"
/dev/mapper/bricks: UUID="fdc1a50d-27af-47d5-8dc9-d5cd11df683e" TYPE="xfs"
[root@localhost ~]#
Automatically unlocking LUKS encrypted drives with a keyfile during boot
[root@localhost ~]# dd if=/dev/urandom of=/root/keyfile-bricks bs=32 count=1
1+0 records in
1+0 records out
32 bytes (32 B) copied, 5.922e-05 s, 540 kB/s
[root@localhost ~]#
[root@localhost ~]# cryptsetup luksAddKey /dev/mapper/RHS_vg1-RHS_lv1 /root/keyfile-bricks
Enter any passphrase:
[root@localhost ~]#
[root@localhost ~]# chmod 600 /root/keyfile-bricks
Update /etc/crypttab as:
bricks /dev/mapper/RHS_vg1-RHS_lv1 /root/keyfile-bricks luksCreate GlusterFS volume as you would normally create
creating first volume for cinder
# gluster vol create shanks-vol replica 2 \
xx.yy.zz.183:/rhs/bricks/shanks-vol \
xx.yy.zz.223:/rhs/bricks/shanks-vol \
xx.yy.zz.183:/rhs/bricks/shanks-vol \
xx.yy.zz.223:/rhs/bricks/shanks-vol
# gluster vol start shanks-vol
volume start: shanks-vol: success
# gluster vol create shanks-vol replica 2 \
xx.yy.zz.183:/rhs/bricks/shanks-vol \
xx.yy.zz.223:/rhs/bricks/shanks-vol \
xx.yy.zz.183:/rhs/bricks/shanks-vol \
xx.yy.zz.223:/rhs/bricks/shanks-vol
# gluster vol start shanks-vol
volume start: shanks-vol: success