Automatically mount an encrypted drive on Bare Metal Cloud. This collection uses the phoenixNAP Encryption Management Platform (EMP) as a key storage system and PyKMIP to transfer certificates for maximum token security.
Bare Metal Cloud • Encryption Management Platform • Developers Portal • Knowledge Base • Support
- Bare Metal Cloud account
- EMP account
- Python 3 (versions 3.6 and higher)
- Python PyKMIP package
- Cryptsetup
sudo apt install cryptsetup-bin
- luksFormat
- Go to the Bare Metal Cloud signup page.
- Follow the prompts to set up your account.
- Use your credentials to log in to Bare Metal Cloud portal.
- Go to the EMP signup page.
- Follow the prompts to set up your account.
- Use your credentials to log in to EMP portal.
Provision and secure tokens using the phoenixNAP EMP platform.
- Create Group.
- Add New App to the group.
- Copy the UUID of the App.
- SSH into the BMC server and provide the identity file. For example:
ssh -i .ssh/id_rsa [email protected]
- In the terminal, generate a private key:
openssl genrsa -out <key name>.key
- Generate the certificate using the key. Set the Common Name as the App UUID:
openssl req -new -x509 -key <key name>.key -out <certificate name>.cert -days <number of days>
- Change App authentication to Certificate and upload generated Certificate to the App.
- Update and upgrade the system:
sudo apt update && sudo apt upgrade
- Install pip for Python 3 with the following command:
sudo apt install python3-pip
- Upgrade pip:
pip3 install --upgrade pip
- Install the PyKMIP module by running:
sudo -H pip3 install pykmip
Use the pykimp.conf file as a configuration template for PyKMIP and add the paths to the security objects. Run the generate_key.py script to create a security object in EMP. Copy the UUID of the security object and add it to the key.py script to fetch the key automatically.
- Create an encrypted file container using the dd command:
dd of=secretfs bs=1G count=0 seek=2
- Change the container permission to 600 using the chmod command:
sudo chmod 600 secretfs
- Attach the file container to a loop device with the losetup command:
sudo losetup /dev/loop101 secretfs
- Using the key.py script, format the loop device using cryptsetup and luksFormat:
python3 key.py | sudo cryptsetup -y luksFormat /dev/loop101
This command encrypts the device using LUKS encryption with the key stored in EMP.
- Open the encrypted file container on the loop device using the key:
python3 key.py | sudo cryptsetup luksOpen /dev/loop101 secretfs
- Format the disk using the mkfs command:
sudo mkfs.ext4 /dev/mapper/secretfs
- Make a mount point for the file system:
sudo mkdir /mnt/encrypted
- Mount the disk:
sudo mount /dev/mapper/secretfs /mnt/encrypted
- Check that the device mounted:
df | grep secretfs
Create a service in /etc/init.d with the contents of the automount file. Make the service executable, update service information and reboot. The service automatically starts on reboot. Check status with:
systemctl status automount
In case of compromise, revoke security object from EMP and the device doesn't automatically unlock and mount on the next restart. In case of connection error, the service retries to connect.
For a comprehensive tutorial, visit our KB: BMC Drive Encryption Using EMP
Become part of the Bare Metal Cloud community to get updates on new features, help us improve the platform, and engage with developers and other users.
- Follow @phoenixNAP on Twitter
- Join the official Slack channel
- Sign up for our Developers Monthly newsletter
Get in touch with us if you have questions or need help with Bare Metal Cloud.
Twitter • Facebook • LinkedIn • Instagram • YouTube • Email
