Encrypt user data at rest #129

New Issue

Closed

opened 2020-02-06 21:40:07 +00:00 by raucao · 3 comments

raucao commented 2020-02-06 21:40:07 +00:00

Owner

Copy Link

First thing that comes to mind is the ejabberd database, which contains lots of metadata, even if the contents of personal communications are encrypted.

Sovereign uses EncFS for this, and I think that's actually a pretty good idea. Also supposedly faster with HDDs (which we use on Andromeda for example).

https://github.com/vgough/encfs

First thing that comes to mind is the ejabberd database, which contains lots of metadata, even if the contents of personal communications are encrypted. Sovereign uses EncFS for this, and I think that's actually a pretty good idea. Also supposedly faster with HDDs (which we use on Andromeda for example). https://github.com/vgough/encfs

greg commented 2020-02-07 10:31:22 +00:00

Owner

Copy Link

Good idea. We might want to compare it with eCryptfs and other solutions

Good idea. We might want to compare it with [eCryptfs](https://help.ubuntu.com/lts/serverguide/ecryptfs.html) and other solutions

raucao commented 2020-02-07 15:23:47 +00:00

Author

Owner

Copy Link

Regarding ecryptfs, that's what I meant with faster on HDDs, but didn't explain in detail:

https://github.com/vgough/encfs#fast-on-classical-hdds

Regarding ecryptfs, that's what I meant with faster on HDDs, but didn't explain in detail: https://github.com/vgough/encfs#fast-on-classical-hdds

greg referenced this issue from a commit 2020-05-15 16:43:46 +00:00

Encrypt the Postgresql data dir on the replica (centaurus) encfs always runs a configuration assistant when creating a new volume, so this needs to be done manually: systemctl stop postgresql@12-main mv /var/lib/postgresql /var/lib/postgresql.old encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public Pick p (paranoia mode) and enter the password from the data bag twice mv /var/lib/postgresql/* /var/lib/postgresql/ systemctl start postgresql@12-main This is running on centaurus and is mounted automatically on boot by a system unit Refs #129

greg referenced this issue 2020-05-15 16:48:45 +00:00

Encrypt PostgreSQL data directory #166

raucao added a new dependency 2020-06-04 10:50:40 +00:00

#175 Replace andromeda.kosmos.org

raucao commented 2020-08-02 18:09:45 +00:00

Author

Owner

Copy Link

Closing this issue now. We have implemented a cookbook for this, which is already being used on the new servers. And every service we migrate to one of the new machines (which will be all of them soon) will use encrypted directories for all user data.

Closing this issue now. We have implemented a cookbook for this, which is already being used on the new servers. And every service we migrate to one of the new machines (which will be all of them soon) will use encrypted directories for all user data.

raucao closed this issue 2020-08-02 18:09:46 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

feature/letsencrypt_proxy_validation

jammy_jellyfish

chore/replace_postgres_primary

chore/akkounts_configs

feature/libretranslate

feature/deploy_new_kredits_software

feature/jitsi-meet

chore/395-gitea_cron

chore/move_zerotier_controller

chore/upgrade_sockethub

chore/move_gitea_and_drone

feature/turn_ip_config

feature/103-chef_15

feature/chef_15

dev

Labels

Clear labels   

service

accounts

Kosmos Accounts

  

service

discourse

Kosmos Community Forums

  

service

drone-ci

Kosmos Drone CI

  

service

email

mail.kosmos.org

  

service

garage

S3-compatible object storage

  

service

gitea

Kosmos Gitea

  

service

ipfs

Kosmos IPFS

  

service

mastodon

kosmos.social

  

service

postgres

Database cluster

  

service

remotestorage

Portable data storage for the Web

  

service

wiki

Kosmos Wiki

  

service

xmpp

Kosmos Chat

  

bug

Something is not working

  

design

Graphic/visual design

  

dev environment

Config, builds, CI, deployment, etc.

  

docs

Documentation

  

duplicate

This issue or pull request already exists

  

enhancement

Improving existing functionality

  

feature

New functionality

  

good first issue

Dive in, and start contributing

  

idea

Something to consider

  

invalid

Not a bug

  

kredits-1

Small contribution

  

kredits-2

Medium contribution

  

kredits-3

Large contribution

  

on hold

Currently not actionable

  

ops

Manual IT ops activities

  

question

Looking for an answer

  

release

major

  

release

minor

  

release

patch

  

security

All your base are belong to us

  

ui/ux

User interface, process design, etc.

  

wontfix

This won't be fixed

No Label

service

accounts

service

discourse

service

drone-ci

service

email

service

garage

service

gitea

service

ipfs

service

mastodon

service

postgres

service

remotestorage

service

wiki

service

xmpp

bug

design

dev environment

docs

duplicate

enhancement

feature

good first issue

idea

invalid

kredits-1

kredits-2

kredits-3

on hold

ops

question

release

major

release

minor

release

patch

security

ui/ux

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Blocks

#175 Replace andromeda.kosmos.org

kosmos/chef

Reference: kosmos/chef#129

No description provided.