Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to start encryption in Stratis. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

precondition

Stratis 2.1 or later is required for encryption. The examples in this article use a pre-release version of Fedora 33. Stratis 2.1 will be used in the final version of Fedora 33.

You also need at least one available block device to create an encryption pool. The following example is done on the KVM virtual machine, and the virtual disk drive is 5GB (/ dev/vdb).

Create a key in the kernel key ring

The Linux kernel keyring keyring is used to store encryption keys. For more information about kernel keyrings, refer to the keyrings man page (man keyrings).

Use the stratis key set command to set the key in the kernel keyring. You must specify where to read the key. To read the key from standard input, use the-capture-key option. To read the key from a file, use the-keyfile-path option. The last parameter is a key description. It will be used later when you create an encrypted Stratis pool.

For example, to create a key described as pool1key and read the key from standard input, type:

# stratis key set-- capture-key pool1keyEnter desired key data followed by the return key:

The command prompts us to enter the key data / password, and then the key is created in the kernel key ring.

To verify that the key has been created, run stratis key list:

# stratis key listKey Descriptionpool1key

This will verify that the pool1key has been created. Note that these keys are not persistent. If the host restarts, the key needs to be provided again before accessing the encrypted Stratis pool (this process is described later).

If you have multiple encryption pools, they can have a single key or share the same key.

You can also use the following keyctl command to view the key:

# keyctl get_persistent @ s31804498 encrypted keyctl showSession Keyring 701701270-- alswrv 0 0 keyring: _ ses 649111286-- alswrv 065534\ _ keyring: _ uid.0 318044983-- lswrv 065534\ _ keyring: _ persistent.01051260141-- alswrv 0\ _ user: stratis-1-key-pool1key creates an encrypted Stratis pool

Now that you have created a key for Stratis, the next step is to create an encrypted Stratis pool. Encrypting a pool can only be done when the pool is created. It is currently not possible to encrypt an existing pool.

Use the stratis pool create command to create a pool. Add-key-desc and the key description (pool1key) you provided in the previous step. This signals to Stratis that the pool should be encrypted with the key provided. The following example is to create a Stratis pool on / dev/vdb and name it pool1. Be sure to specify an empty / available device in your system.

# stratis pool create-- key-desc pool1key pool1 / dev/vdb

You can use the stratis pool list command to verify that the pool has been created:

# stratis pool listName Total Physical Propertiespool1 4.98 GiB / 37.63 MiB / 4.95 GiB ~ Ca, Cr

In the sample output shown above, ~ Ca indicates that caching is disabled (~ negates this attribute). Cr indicates that encryption is enabled. Note that caching and encryption are mutually exclusive. These two functions cannot be enabled at the same time.

Next, create a file system. The following example demonstrates creating a file system named filesystem1, mounting it on the / filesystem1 mount point, and creating a test file in the new file system:

# stratis filesystem create pool1 filesystem1# mkdir / filesystem1# mount / stratis/pool1/filesystem1 / filesystem1# cd / filesystem1# echo "this is a testfile" > access to the encryption pool after testfile restart

When you restart, you will find that Stratis no longer displays your encryption pool or its block devices:

# stratis pool listName Total Physical Properties# stratis blockdev listPool Name Device Node Physical Size Tier

To access the encryption pool, first recreate the key with the same key description and key data / password you used previously:

# stratis key set-- capture-key pool1keyEnter desired key data followed by the return key:

Next, run the stratis pool unlock command and verify that you can now see the pool and its block devices:

# stratis pool unlock# stratis pool listName Total Physical Propertiespool1 4.98 GiB / 583.65 MiB / 4.41 GiB ~ Ca, Cr# stratis blockdev listPool Name Device Node Physical Size Tierpool1 / dev/dm-2 4.98 GiB Data

Next, mount the file system and verify that the test file you created earlier is accessible:

# mount / stratis/pool1/filesystem1 / filesystem1/# cat / filesystem1/testfilethis is a testfile uses the systemd unit file to automatically unlock the Stratis pool at startup

The Stratis pool can be automatically unlocked at startup without manual intervention. However, there must be a file that contains the key. In some environments, storing keys in a file may have security issues.

The systemd unit file shown in the following figure provides an easy way to unlock the Stratis pool and mount the file system at startup. Welcome to provide feedback on better / alternative methods. You can provide suggestions in the comments section at the end of the article.

First create your key file with the following command. Be sure to replace passphrase with the same key data / password you entered earlier.

# echo-n passphrase > / root/pool1key

Make sure that the file can only be read by root:

# chmod 400 / root/pool1key# chown root:root / root/pool1key

Create a systemd unit file in / etc/systemd/system/stratis-filesystem1.service that contains the following:

[Unit] Description = stratis mount pool1 filesystem1 file systemAfter = stratisd.service [Service] ExecStartPre=sleep 2ExecStartPre=stratis key set-- keyfile-path / root/pool1key pool1keyExecStartPre=stratis pool unlockExecStartPre=sleep 3ExecStart=mount / stratis/pool1/filesystem1 / filesystem1RemainAfterExit=yes [Install] WantedBy = multi-user.target

Next, enable the service to run at startup:

# systemctl enable stratis-filesystem1.service

Now restart and verify that the Stratis pool is automatically unlocked and its file system is mounted.

This is the end of the article on "how to start encryption in Stratis". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.