cancel
Showing results for 
Search instead for 
Did you mean: 

LUKS encryption of shared disk?

Hello!

 We have a virtualized environment with HP blade servers connected to a SAN where we intend to run several Linux (RHEL 7.2) VMs and Vertias SF 6.2.1. 15 of these VMs will form a cluster where all cluster nodes will mount and use the same shared disk, so Veritas Storage Foundation Cluster File System HA will be used. The (CVM/CFS) shared disk only be used to store/archive files. However, the requirement is to encrypt the data on the shared disk.
As a primary candidate for encryption, LUKS has been chosen. But from what I can see, LUKS only seem to work with LVM and not with VxVM/CVM.

Does anyone know if it is feasible to use LUKS encryption on a Veritas shared disk? If it’s not feasible, does anyone have a suggestion for a solution?
I suppose file system level encryption, like EncFS/ecryptfs, are possible but would probably have a bigger performance impact.

 Best regards
Mattias Lidström

7 Replies

Re: LUKS encryption of shared disk?

Hi

You should be using Infoscale 7.2 for your RHEL 7.2 , 6.2 is very old. 

You can encrypt the volumes directly with Infoscale. See page 103 of the guide

https://sort-static.veritas.com/public/documents/vie/7.2/linux/productguides/pdf/sfcfs_admin_72_lin....

 

Re: LUKS encryption of shared disk?

Hello,

Thank you for your reply. Infoscale seems to be one feasible solution and i want to test it first.
However, it is only possible to download IS7.3.1 whereas i would need IS7.2, just as you say, that supports RHEL7.2.
Do you know were i can download a trial version of InfoScale 7.2? It seems like its not possible to download older versions any more.

 Best regards
Mattias Ldström

Re: LUKS encryption of shared disk?

Hi,

I can put it on dropbox if you're able to access that.

Let me know.

Re: LUKS encryption of shared disk?

Hello,

That would be excellent! Thank you!

Best regards
Mattias Lidström

Re: LUKS encryption of shared disk?

Hello

How did the testing go?

Re: LUKS encryption of shared disk?

Hello!

Well, so far i have created a non-shared VxVM/VxFS handled encrypted volume to see that the encryption is transparent for the application that distributes the files.
And that works just fine!
Now i have setup a single node cluster (not using LLT, GAB or VxFEN) and will create an encrypted CVM/CFS volume to verify that the end solution setup will work.
But for some reason the cvm service group does not come online. Im starting to suspect that i actually do need the LLT/GAB to be able to configure CVM/CFS.

# vxdctl -c mode
mode: enabled: cluster inactive

# /opt/VRTS/bin/cfscluster status
Node : csua2-emm1
Cluster Manager : running
CVM state : not-running
No mount point registered with cluster configuration

Best regards
Mattias Lidström

Re: LUKS encryption of shared disk?

Yes, a real CLUSTER (with LLT, GAB, FENCE, etc) is required for CVM (can't create a cluster shared volume if you're not really sharing it)