Disk Encryption

Owned by Castillo, Gabriel (Unlicensed)
Last updated: Nov 06, 2018
1 min read

Due to the sensitive nature of data that is stored in peopledb3, the underlying disk partition that stores all data for the database is a LUKS-encrypted partition.

Step-by-step guide

Relevant section of /etc/fstab
/dev/mapper/data			  /data			  ext4	  defaults,noatime  1 2
LUKS partition creation
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb data
/etc/crypttab
data /dev/disk/by-uuid/fbfca1b2-5a54-4920-93eb-1c3816449dd6 /root/keyfile luks

The keyfile on all 3 hosts is stored in /root/keyfile, and is used to unlock the encrypted partition at boot. The /etc/crypttab file is what facilitates this. The first field in the file, __data__ in this case, is the name of the partition that will be given to the device-mapper. This can be seen in the above {{/etc/fstab}} entry that specifies the device location as /dev/mapper/data. The device location in /etc/crypttab is specified by UUID since this value will remain consistent across reboots and hardware changes to the VM.