Encryption

Can anybody point me in the right direction?

Encryption-at-Rest

We have a customer wanting to use Ubuntu (latest version). They also want it to support Encryption!
Were not Ubuntu experts and any means. They want all encryption done via SW normally we do this with a RAID Controller. So my questions.

  1. Searching Ubuntu’s webpage we found data at rest i guess using Kubernetes with links HashiCorp webpage. So with Kubernetes and HashiCorp will this support encryption?
  2. The drives we have come with Hardware-based AES-XTS 256-bit encryption. Is that ok?
    Or do they need to be TCG and OPAL certified?
  3. We also need a key for security.

Who is this encryption supposed to be defending from? You will have very different requirements between “picking the hard drive up out of the server & walking away” versus “reboot the server into attacker OS” versus “protected from the service provider” (you)

The answer to the above questions will help you figure out the answer to this one :slight_smile:
e.g. if key stored on drive & opened without OS help, not very useful vs “steal the entire server”

Hi and thank you for the reply. Sorry i should have clarified the level.
I want to prevent somebody from taking the drives from the server and walking away with it.
Not getting into to must detail the server will have 2 boot drives and 10 NVMe drives in the front that are removable. The customer wants to write data to the front drives. They want to prevent somebody from taking these 10 drives out of the server and walking out of the building with all their data.
If that did happen the data would be encrypted and on boot up it should ask for a key to unlock the drives to access the data.

I recommend, then, dm_crypt that is in kernel. You just encrypt all the disk except /boot, during boot (initramfs) it asks for a passphrse (there might be other methods to unlock) and then everything is encrypted and decrypted underneath, is transparent. You use your system as always (it has some overhead, because every read and write is encrypted, though)

It is usually what most distros do, I think, then you select an encrypted setup during installation.

Would that work for you?

Rata,

Yes i was reading this as well the DM_crypt. Looks like that would work. again not a linux guy learning on the fly. Yeah im will have to test out the encryption to see how much of a performance hit i take. Currently with 8 drives im seeing about 20GB/s. If i see less that 8GB/s that will be a problem. Even below 15GB/s would be an issue because these drives are not cheap. My last resort is to add in a RAID controller that will do everything for me but i have explore this first.

note: if you’re using manual disk unlocks, you are going to want to have cross-node redundancy so you can endure an unexpected reboot without the applications hard-crashing!

N+1, N+2, N+m, however many you need to have enough time to get in and re-start the nodes after they fail.