cancel
Showing results for 
Search instead for 
Did you mean: 

LUKS encryption of shared disk?

epkmlid
Level 3

Hello!

 We have a virtualized environment with HP blade servers connected to a SAN where we intend to run several Linux (RHEL 7.2) VMs and Vertias SF 6.2.1. 15 of these VMs will form a cluster where all cluster nodes will mount and use the same shared disk, so Veritas Storage Foundation Cluster File System HA will be used. The (CVM/CFS) shared disk only be used to store/archive files. However, the requirement is to encrypt the data on the shared disk.
As a primary candidate for encryption, LUKS has been chosen. But from what I can see, LUKS only seem to work with LVM and not with VxVM/CVM.

Does anyone know if it is feasible to use LUKS encryption on a Veritas shared disk? If it’s not feasible, does anyone have a suggestion for a solution?
I suppose file system level encryption, like EncFS/ecryptfs, are possible but would probably have a bigger performance impact.

 Best regards
Mattias Lidström

7 REPLIES 7

RB-Infinitely
Level 4

Hi

You should be using Infoscale 7.2 for your RHEL 7.2 , 6.2 is very old. 

You can encrypt the volumes directly with Infoscale. See page 103 of the guide

https://sort-static.veritas.com/public/documents/vie/7.2/linux/productguides/pdf/sfcfs_admin_72_lin....

 

Hello,

Thank you for your reply. Infoscale seems to be one feasible solution and i want to test it first.
However, it is only possible to download IS7.3.1 whereas i would need IS7.2, just as you say, that supports RHEL7.2.
Do you know were i can download a trial version of InfoScale 7.2? It seems like its not possible to download older versions any more.

 Best regards
Mattias Ldström

Hi,

I can put it on dropbox if you're able to access that.

Let me know.

Hello,

That would be excellent! Thank you!

Best regards
Mattias Lidström

Hello

How did the testing go?

Hello!

Well, so far i have created a non-shared VxVM/VxFS handled encrypted volume to see that the encryption is transparent for the application that distributes the files.
And that works just fine!
Now i have setup a single node cluster (not using LLT, GAB or VxFEN) and will create an encrypted CVM/CFS volume to verify that the end solution setup will work.
But for some reason the cvm service group does not come online. Im starting to suspect that i actually do need the LLT/GAB to be able to configure CVM/CFS.

# vxdctl -c mode
mode: enabled: cluster inactive

# /opt/VRTS/bin/cfscluster status
Node : csua2-emm1
Cluster Manager : running
CVM state : not-running
No mount point registered with cluster configuration

Best regards
Mattias Lidström

Yes, a real CLUSTER (with LLT, GAB, FENCE, etc) is required for CVM (can't create a cluster shared volume if you're not really sharing it)