I have 10 virtual machines with elasticsearch on VMware and compliance said that i should encrypt data volumes, the disk based encryption will be enough for compliance i want to use keyfile to automount my LUKS partition with database data /var/lib/elasticsearch, but the main problem is that this file is stored on unencryped root partition, how to securely store it? i don't want to use USB stick with keyfile because i have 10 virtual machines with that crypted partitions, and if i encrypt my /boot partition, i should enter passphrase to boot OS, but i don't have access to GRUB console and to Vmware ( because i have only ssh access to virtual machines ) i think just to encrypt only data volume ( separate disk for storing elasticsearch data only ) and manually mount it every time if vm is reboot ( yeah silly solution ) but i don't wat to put password somewhere on systemd file to mount my LUKS partition maybe other variants exists?
2
-
Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking.– Community BotCommented Aug 4, 2022 at 11:04
-
I'll be happy to upvote this if someone can edit it and clean it up. It's 10 lines of text and not a single full stop.– gronostajCommented Aug 4, 2022 at 12:51
Add a comment
|
1 Answer
clevis and tang software packages provide client and server side of what's called network bound disk encryption. They integrate nicely with luks and systemd and should cover your needs.
They are available in Fedora and RHEL and derivatives. If they are not available in your distro , I've provided direct links to their github locations.
