Firstly can someone point me to a HIGH LEVEL somewhat CONCEPTUAL tutorial on cryptsetup? I know a lot of the nuts and bolts but, as my second question will show, I need some guidance on WHAT to do. The HOW I can probably figure out.
Here is the situation...
I am putting together a server for data archiving. I have a bare bones Dell T130 server (on the way). I will be running CentOS 7 from a USB flash drive (already do this on my T20 works great) and will initially install 2 - 6 TB drives and 2 - 4 TB drives. Data will be mirrored between the 6 TB drives and between the 4 TB drives. I am already doing this on the T20 server with 4 TB drives.
For the new server I wish to encrypt the drives mainly so that if I ever need to return one under warranty I do not have to spend a day or more wiping the drive before releasing it or facing the situation of scrapping the drive if I cannot wipe it. That said, this is also a learning exercise....
Putting together pieces of scripts I have used for managing encrypted partitions under other situations I could do something like this.
1 - Boot the server
2 - Connect with ssh
3 - Run a script something like
Code:
#!/bin/bash
echo Enter passphrase
read -s pass
echo $pass | cryptsetup luksOpen /dev/sda1 sda1
mount /dev/mapper/sda1 /data/secret1
echo $pass | cryptsetup luksOpen /dev/sda2 sda2
mount /dev/mapper/sda2 /data/secret2
echo $pass | cryptsetup luksOpen /dev/sda3 sda3
mount /dev/mapper/sda3 /data/secret3
echo $pass | cryptsetup luksOpen /dev/sda4 sda4
mount /dev/mapper/sda4 /data/secret4
exit
which assumes that all 4 drives have the same passphrase. Not very elegant but typical of my pick and shovel scripting style
I guess what I would like to do would be to provide an decryption key which would automagically unlock and mount the drives on boot. The key file would be stored on a flash drive which could be removed after boot and physically protected thus rendering the server secure if stolen or picked up by a black helicopter or some such catastrophe
I do not know where to start on such an approach as I do not even know if such a thing is possible. Any pointers?
TIA,
Ken
p.s. The key advantage of the second approach would be the elimination of the need to enter a passphrase. Security would be provided my physical control of the flash drive containing the key file.