go>> ansible-partial-disk-encryption-role>> 返回
项目作者: RiotKit

项目描述 :
Ansible: TCPlay secured storage
高级语言: Shell
项目地址: git://github.com/RiotKit/ansible-partial-disk-encryption-role.git


Secure Storage

Encrypts the data with a TrueCrypt AES 256 hidden volume, and exposes a HTTP endpoint for having a possibility
to enter the passphrase when the server will go down.

Protect your server against hosting providers. Even if they would mount your storage it will be encrypted.
Its much more difficult to get into your data when its encrypted, but REMEMBER, it’s not impossible!

  1. ansible-galaxy install blackandred.server_secure_storage

Mounting and unmounting from shell

To mount/unmount a volume from shell there are prepared easy to use scripts.

  1. # please replace "storage" with the name you placed in "enc_mount_name" variable (see configuration reference)
  3. # mounting
  4. /usr/local/bin/tcmount-storage.sh 'your-secret-here'
  6. # unmounting
  7. /usr/local/bin/tcunmount-storage.sh

Mounting by a HTTP call

You can mount the storage using an HTTP call, so also you can easily automate the process using some healthchecks.

  1. curl -v http://your-host:8015/deploy/volume_mount?enc_token=YOUR-PASSWORD-THERE&token=YOUR-DEPLOYER-TOKEN-HERE

Legend:

  • enc_token: Its a volume password or secret password (depends on which volume you want to mount)
  • token: Thin-Deployer token, configurable in deployer_token (see: configuration reference)

Notes:

  • IT IS HIGHLY RECOMMENDED TO HIDE DEPLOYER SERVICE BEHIND A SSL GATEWAY

Configuration reference

  1.     roles:
  2.       - role: blackandred.server_secure_storage
  3.         tags: decrypt
  4.         vars:
  5.             enc_file: /.do-not-delete                  # path, where all of the data will be stored
  6.             enc_file_size: 10000M                      # examples: 256M, 20G, 500G
  7.             enc_mount_name: storage                    # mount name, should be a-z, lower case, without special letters
  8.             enc_file_filesystem: ext4                  # any filesystem supported by mkfs (and supported by the operating system)
  9.             enc_filesystem_create_if_not_exists: true
  11.             # passwords, change them, NOTE: You can keep them secure in an Ansible Vault
  12.             # by default the hidden volume is mounted during deployment time
  13.             # but normally you can choose over the HTTP endpoint or via SHELL which volume you want to mount
  14.             # by choosing one of defined passwords just
  15.             enc_passphrase: "test123"
  16.             enc_hidden_volume_passphrase: "hidden123"
  17.             enc_hidden_volume_size: "9950M"
  19.             # tcplay settings
  20.             hashing_algorithm: whirlpool
  21.             encryption_algorithm: AES-256-XTS
  23.             # Mounting webhook
  24.             # ================
  25.             #  Allows to expose a HTTP endpoint, so you could
  26.             #  invoke that endpoint to put the passphrase to mount the volume
  27.             #  eg. after server crash. So the password will not be stored on the server
  28.             #  and how you will secure it is your concern.
  29.             #
  30.             deployer_token: ""                   # set a token to enable
  31.             slack_or_mattermost_webhook_url: ""  # put a slack/mattermost webhook URL to enable notifications
  32.             systemd_service_name: "volume-deployer"
  33.             deployer_listen: "0.0.0.0"
  34.             deployer_listen_port: "8015"

Hooks PRE/POST

Before encryption (detaching the volume) you can execute your code to eg. shutdown services,
and after decryption you can bring them up back.

Example:

  1.     hook_pre_mount: ""
  3.     hook_post_mount: >
  4.       set -x;
  6.       mkdir -p /mnt/storage/project /mnt/storage/docker /project /var/lib/docker;
  7.       mount -o bind /mnt/storage/project /project || exit 1;
  8.       mount -o bind /mnt/storage/docker /var/lib/docker || exit 1;
  9.       mount --bind /var/lib/docker/plugins /var/lib/docker/plugins || true;
  10.       mount --make-private /var/lib/docker/plugins || true;
  12.       if [[ -f /etc/systemd/system/project.service ]]; then
  13.           sudo systemctl restart docker;
  14.           sleep 5;
  15.           sudo systemctl restart project;
  16.       fi;
  18.     hook_pre_unmount: >
  19.       if [[ -f /etc/systemd/system/project.service ]]; then
  20.           sudo systemctl disable docker;
  21.           sudo systemctl disable project;
  23.           sudo systemctl stop project;
  24.           sudo systemctl stop docker;
  25.       fi;
  27.       umount /var/lib/docker/plugins || true;
  28.       umount /project || true;
  29.       umount /var/lib/docker || true;
  31.     hook_post_unmount: ""