Sick Gaming
Fedora - Getting started with Stratis encryption - Printable Version

+- Sick Gaming (https://www.sickgaming.net)
+-- Forum: Computers (https://www.sickgaming.net/forum-86.html)
+--- Forum: Linux, FreeBSD, and Unix types (https://www.sickgaming.net/forum-88.html)
+--- Thread: Fedora - Getting started with Stratis encryption (/thread-98180.html)



Fedora - Getting started with Stratis encryption - xSicKxBot - 11-09-2020

Getting started with Stratis encryption

<div><p>Stratis is described on its <a rel="noreferrer noopener" href="https://stratis-storage.github.io/" target="_blank">official website</a> as an “<em>easy to use local storage management for Linux</em>.”&nbsp;See this <a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=CJu3kmY-f5o" target="_blank">short video</a> for a quick demonstration of the basics. The video was recorded on a Red Hat Enterprise Linux 8 system. The concepts shown in the video also apply to Stratis in Fedora.</p>
<p>Stratis version 2.1 introduces support for encryption. Continue reading to learn how to get started with encryption in Stratis.</p>
<p> <span id="more-32013"></span> </p>
<h2>Prerequisites</h2>
<p>Encryption requires Stratis version 2.1 or greater. The examples in this post use a pre-release of Fedora 33.&nbsp;Stratis 2.1 will be available in the final release of Fedora 33.</p>
<p>You’ll also need at least one available block device to create an encrypted pool. The examples shown below were done on a KVM virtual machine with a 5 GB virtual disk drive <em>(/dev/vdb</em>).</p>
<h2>Create a key in the kernel keyring</h2>
<p>The Linux kernel keyring is used to store the encryption key. For more information on the kernel keyring, refer to the <em>keyrings</em> manual page (<em>man keyrings</em>).&nbsp;&nbsp;</p>
<p>Use the <em>stratis key set </em>command to set up the key within the kernel keyring.&nbsp; You must specify where the key should be read from. To read the key from standard input, use the <em>–capture-key</em> option. To retrieve the key from a file, use the <em>–keyfile-path &lt;file&gt;</em> option. The last parameter is a key description. It will be used later when you create the encrypted Stratis pool.</p>
<p>For example, to create a key with the description <em>pool1key</em>, and to read the key from standard input, you would enter:</p>
<pre class="wp-block-preformatted"># <strong>stratis key set --capture-key pool1key</strong>
Enter desired key data followed by the return key:</pre>
<p>The command prompts us to type the key data / passphrase, and the key is then created within the kernel keyring.&nbsp;&nbsp;</p>
<p>To verify that the key was created, run <em>stratis key list</em>:</p>
<pre class="wp-block-preformatted"># <strong>stratis key list</strong>
Key Description
pool1key</pre>
<p>This verifies that the <em>pool1key</em> was created. Note that these keys are not persistent. If the host is rebooted, the key will need to be provided again before the encrypted Stratis pool can be accessed (this process is covered later).</p>
<p>If you have multiple encrypted pools, they can have a separate keys, or they can share the same key.</p>
<p>The keys can also be viewed using the following <em>keyctl</em> commands:</p>
<pre class="wp-block-preformatted"># <strong>keyctl get_persistent @s</strong>
318044983
# <strong>keyctl show</strong>
Session Keyring
&nbsp;701701270 --alswrv&nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; 0&nbsp; keyring: _ses
&nbsp;649111286 --alswrv&nbsp; &nbsp; &nbsp; 0 65534 &nbsp; \_ keyring: _uid.0
&nbsp;318044983 ---lswrv&nbsp; &nbsp; &nbsp; 0 65534 &nbsp; \_ keyring: _persistent.0
1051260141 --alswrv&nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; 0 &nbsp; &nbsp; &nbsp; \_ user: stratis-1-key-pool1key
</pre>
<h2>Create the encrypted Stratis pool</h2>
<p>Now that a key has been created for Stratis, the next step is to create the encrypted Stratis pool. Encrypting a pool can only be done at pool creation. It isn’t currently possible to encrypt an existing pool.</p>
<p>Use the <em>stratis pool create</em> command to create a pool. Add <em>–key-desc</em> and the key description that you provided in the previous step (<em>pool1key</em>). This will signal to Stratis that the pool should be encrypted using the provided key. The below example creates the Stratis pool on <em>/dev/vdb</em>, and names it <em>pool1</em>.&nbsp;Be sure to specify an empty/available device on your system.</p>
<pre class="wp-block-preformatted"># stratis pool create --key-desc pool1key pool1 /dev/vdb</pre>
<p>You can verify that the pool has been created with the <em>stratis pool list</em> command:</p>
<pre class="wp-block-preformatted"># <strong>stratis pool list&nbsp;</strong>
Name &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Total Physical &nbsp; Properties
pool1 &nbsp; 4.98 GiB / 37.63 MiB / 4.95 GiB&nbsp; &nbsp; &nbsp; ~Ca, Cr</pre>
<p>In the sample output shown above, <em>~Ca </em>indicates that caching is disabled (the tilde negates the property). <em>Cr </em>indicates that encryption is enabled.&nbsp; Note that caching and encryption are mutually exclusive. Both features cannot be simultaneously enabled.</p>
<p>Next, create a filesystem. The below example, demonstrates creating a filesystem named <em>filesystem1</em>, mounting it at the <em>/filesystem1</em> mountpoint, and creating a test file in the new filesystem:</p>
<pre class="wp-block-preformatted"># stratis filesystem create pool1 filesystem1
# mkdir /filesystem1
# mount /stratis/pool1/filesystem1 /filesystem1
# cd /filesystem1
# echo "this is a test file" &gt; testfile
</pre>
<h2>Access the encrypted pool after a reboot</h2>
<p>When you reboot you’ll notice that Stratis no longer shows your encrypted pool or its block device:</p>
<pre class="wp-block-preformatted"><strong># stratis pool list</strong>
Name &nbsp; Total Physical &nbsp; Properties</pre>
<pre class="wp-block-preformatted"><strong># stratis blockdev list</strong>
Pool Name &nbsp; Device Node &nbsp; Physical Size &nbsp; Tier</pre>
<p>To access the encrypted pool, first re-create the key with the same key description and key data / passphrase that you used previously:</p>
<pre class="wp-block-preformatted"><strong># stratis key set --capture-key pool1key</strong>
Enter desired key data followed by the return key:</pre>
<p>Next, run the <em>stratis pool unlock</em> command, and verify that you can now see the pool and its block device:</p>
<pre class="wp-block-preformatted"># <strong>stratis pool unlock</strong>
# <strong>stratis pool list</strong>
Name&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Total Physical &nbsp; Properties
pool1 &nbsp; 4.98 GiB / 583.65 MiB / 4.41 GiB&nbsp; &nbsp; &nbsp; ~Ca, Cr
# <strong>stratis blockdev list</strong>
Pool Name &nbsp; Device Node &nbsp; Physical Size &nbsp; Tier
pool1 &nbsp; &nbsp; &nbsp; /dev/dm-2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 4.98 GiB &nbsp; Data
</pre>
<p>Next, mount the filesystem and verify that you can access the test file you created previously:</p>
<pre class="wp-block-preformatted"># <strong>mount /stratis/pool1/filesystem1 /filesystem1/</strong>
# <strong>cat /filesystem1/testfile&nbsp;</strong>
this is a test file
</pre>
<h2>Use a systemd unit file to automatically unlock a Stratis pool at boot</h2>
<p>It is possible to automatically unlock your Stratis pool at boot without manual intervention. However, a file containing the key must be available. Storing the key in a file might be a security concern in some environments.</p>
<p>The systemd unit file shown below provides a simple method to unlock a Stratis pool at boot and mount the filesystem. Feedback on a better/alternative methods is welcome. You can provide suggestions in the comment section at the end of this article.</p>
<p>Start by creating your key file with the following command. Be sure to substitute <em>passphrase </em>with the same key data / passphrase you entered previously.</p>
<pre class="wp-block-preformatted"># echo -n passphrase &gt; /root/pool1key</pre>
<p>Make sure that the file is only readable by root:</p>
<pre class="wp-block-preformatted"># chmod 400 /root/pool1key
# chown root:root /root/pool1key</pre>
<p>Create a systemd unit file at <em>/etc/systemd/system/stratis-filesystem1.service</em> with the following content:</p>
<pre class="wp-block-preformatted">[Unit]
Description = stratis mount pool1 filesystem1 file system
After = stratisd.service [Service]
ExecStartPre=sleep 2
ExecStartPre=stratis key set --keyfile-path /root/pool1key pool1key
ExecStartPre=stratis pool unlock
ExecStartPre=sleep 3
ExecStart=mount /stratis/pool1/filesystem1 /filesystem1
RemainAfterExit=yes [Install]
WantedBy = multi-user.target</pre>
<p>Next, enable the service so that it will run at boot:</p>
<pre class="wp-block-preformatted"># systemctl enable stratis-filesystem1.service</pre>
<p>Now reboot and verify that the Stratis pool has been automatically unlocked and that its filesystem is mounted.</p>
<h2>Summary and conclusion</h2>
<p>In today’s environment, encryption is a must for many people and organizations.&nbsp;This post demonstrated how to enable encryption in Stratis 2.1.</p>
</div>


https://www.sickgaming.net/blog/2020/11/09/getting-started-with-stratis-encryption/