Encrypting /var/lib/puppet directory on clients
30 views
Skip to first unread message
Eugene Sapozhnikov
Aug 20, 2014, 1:07:20 PM8/20/14
to puppet...@googlegroups.com
I have been given a project to secure our client hosts.
One of the requirements was to setup an encrypted volume and mount it over /var/puppet/lib .
the other requirement was to have the encryption key reside only on the puppet master.
I have been able to use cryptsetup to have puppet configure and mount the encrypted volume successfully.
But I am running into a roadblock when the client server reboots and the volume is unmounted. I can't use puppet to mount the volume as the puppet agent will not connect successfully without the /var/lib/puppet being mounted so it can use original SSl cert.
Wanted to see if anyone here have tried any similar setups to what i am trying to achieve.
Thanks.
Brian Mathis
Aug 20, 2014, 1:19:04 PM8/20/14
to puppet-users
The only way to mount an encrypted volume on boot is if the password is stored somewhere on the server itself, such as in /etc/crypttab. Maybe you could come up with a system that uses ssh to login and "manually" mount the volume with a password after the system is booted.
One thing to be aware of is that disk encryption at this level provides no additional security within the system -- anyone logged in can see and access all the files (subject to standard file permissions). It does help with data on the underlying disk, which is only really of use when the machine is completely turned off, protecting it from an administrator on the VM host (though they would have full access to your system anyway), or from a SAN admin.❧ Brian Mathis
@orev--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a532006d-e3cd-4c1b-bd6f-91a388e68fb0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Darin Perusich
Aug 21, 2014, 8:04:08 AM8/21/14
to puppet...@googlegroups.com
As mentioned, you'll gain no additional security while the volume
since anyone who can log into the machine and switch to the
root/puppet users will be able to access said data.
However there are solutions which provide encryption and fine grained
access control which remove the ability for any "unauthorized" process
to access your data, such as the root user. I use one of these
solutions to "protect" ePHI, but am not a fan of it so wont' promote
it on this list but ping me off list if you're interested. Personally
I'd never use it for my puppet data/config and would think there are
other ways of ensuring it's integrity.
--
Later,
Darin
> https://groups.google.com/d/msgid/puppet-users/CALKwpEz7kjusMxbqGPDv%2B10u-AwHd2O_xvfMVVvgyweYJjQPrw%40mail.gmail.com.
since anyone who can log into the machine and switch to the
root/puppet users will be able to access said data.
However there are solutions which provide encryption and fine grained
access control which remove the ability for any "unauthorized" process
to access your data, such as the root user. I use one of these
solutions to "protect" ePHI, but am not a fan of it so wont' promote
it on this list but ping me off list if you're interested. Personally
I'd never use it for my puppet data/config and would think there are
other ways of ensuring it's integrity.
--
Later,
Darin
Reply all
Reply to author
Forward
0 new messages