Mirtov Alexey 33d0bd4365 add english 2 anos atrás
..
images e409cdf563 update 3 anos atrás
README.md 33d0bd4365 add english 2 anos atrás
README_RU.md 33d0bd4365 add english 2 anos atrás
cloud-init_lin.tpl.yaml 9200a3ca60 drop duplicate string 54 3 anos atrás
main.tf 3ed857fd1f update 3 anos atrás
provider.tf 3ed857fd1f update 3 anos atrás
script.sh b900890a98 clean-up and editing 3 anos atrás
variables.tf b900890a98 clean-up and editing 3 anos atrás

README.md

VM disk encryption in the cloud using YC KMS

Description

Operating diagram

Diagram

Description of the solution operation

  • Pass data to the cloud-init script when deploying a VM instance.
  • Install the software: AWS CLI, cryptsetup-bin, curl.
  • The SSH key created by Terraform is transmitted.
  • A Bash script with the create argument is executed on the VM: a high entropy encryption key is created using the KMS generateDataKey method and then written to a disk in both a free-text and encrypted format.
  • The second VM disk is encrypted and mounted based on the encryption key.
  • The encrypted key is copied to Yandex Object Storage and deleted from the file system.
  • A script with the "open" argument is added to the OS startup options to automatically mount the encrypted disk at reboot.
  • At the time of mounting, the encryption key is downloaded from S3, decrypted, and then deleted from the file system when mounting is complete.

All operations with KMS and Object Storage are performed using a service account token linked to the VM at its creation.

Description of script arguments:

  • create: Creating a high entropy key using the KMS generateDataKey method.
  • open: Mounting an encrypted disk to a decrypted object.
  • close: Unmounting an encrypted device.
  • erase: Deleting the source device.

Prerequisites (configured using the Terraform script example):

  • Install and configure YC CLI.
  • Create a service account.
  • Create a KMS key.
  • Assign rights for the KMS key to the created service account (kms.keys.encrypterDecrypter).
  • Create an Object Storage Bucket.
  • Assign rights to the Object Storage Bucket to the created service account (storage.uploader, storage.viewer + BucketPolicy).
  • Assign a service account to the VM.
  • Install AWS CLI: apt install awscli
  • Install cryptsetup: apt install cryptsetup-bin

Launching the solution

  • Download the files.
  • Fill out the variables.tf file.
  • Execute Terraform commands:
terraform init
terraform apply

Deployment results

  • Check the status of mounted objects:
lsblk

Status

  • Check the disk encryption status:
cryptsetup status encrypted1

Status

  • Check the disk on another VM. To do this, create a snapshot of the disk:

Snapshot

  • Create a VM with a disk based on a snapshot: Creating a VM

  • Try mounting a disk:

sudo mount /dev/vdb /mnt

Test result