Mirtov Alexey 33d0bd4365 add english 2 rokov pred
..
images e409cdf563 update 3 rokov pred
README.md 33d0bd4365 add english 2 rokov pred
README_RU.md 33d0bd4365 add english 2 rokov pred
cloud-init_lin.tpl.yaml 9200a3ca60 drop duplicate string 54 3 rokov pred
main.tf 3ed857fd1f update 3 rokov pred
provider.tf 3ed857fd1f update 3 rokov pred
script.sh b900890a98 clean-up and editing 3 rokov pred
variables.tf b900890a98 clean-up and editing 3 rokov pred

README.md

VM disk encryption in the cloud using YC KMS

Description

Operating diagram

Diagram

Description of the solution operation

  • Pass data to the cloud-init script when deploying a VM instance.
  • Install the software: AWS CLI, cryptsetup-bin, curl.
  • The SSH key created by Terraform is transmitted.
  • A Bash script with the create argument is executed on the VM: a high entropy encryption key is created using the KMS generateDataKey method and then written to a disk in both a free-text and encrypted format.
  • The second VM disk is encrypted and mounted based on the encryption key.
  • The encrypted key is copied to Yandex Object Storage and deleted from the file system.
  • A script with the "open" argument is added to the OS startup options to automatically mount the encrypted disk at reboot.
  • At the time of mounting, the encryption key is downloaded from S3, decrypted, and then deleted from the file system when mounting is complete.

All operations with KMS and Object Storage are performed using a service account token linked to the VM at its creation.

Description of script arguments:

  • create: Creating a high entropy key using the KMS generateDataKey method.
  • open: Mounting an encrypted disk to a decrypted object.
  • close: Unmounting an encrypted device.
  • erase: Deleting the source device.

Prerequisites (configured using the Terraform script example):

  • Install and configure YC CLI.
  • Create a service account.
  • Create a KMS key.
  • Assign rights for the KMS key to the created service account (kms.keys.encrypterDecrypter).
  • Create an Object Storage Bucket.
  • Assign rights to the Object Storage Bucket to the created service account (storage.uploader, storage.viewer + BucketPolicy).
  • Assign a service account to the VM.
  • Install AWS CLI: apt install awscli
  • Install cryptsetup: apt install cryptsetup-bin

Launching the solution

  • Download the files.
  • Fill out the variables.tf file.
  • Execute Terraform commands:
terraform init
terraform apply

Deployment results

  • Check the status of mounted objects:
lsblk

Status

  • Check the disk encryption status:
cryptsetup status encrypted1

Status

  • Check the disk on another VM. To do this, create a snapshot of the disk:

Snapshot

  • Create a VM with a disk based on a snapshot: Creating a VM

  • Try mounting a disk:

sudo mount /dev/vdb /mnt

Test result