Encrypt PostgreSQL data directory #166
No reviewers
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
2 Participants
Notifications
Due Date
No due date set.
Blocks
#175 Replace andromeda.kosmos.org
kosmos/chef
Reference: kosmos/chef#166
Loading…
Reference in New Issue
No description provided.
Delete Branch "feature/pg_encfs"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
encfs always runs a configuration assistant when creating a new volume, so this needs to be done manually:
systemctl stop postgresql@12-main
mv /var/lib/postgresql /var/lib/postgresql.old
encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
Pick p (paranoia mode) and enter the password from the data bag twice
mv /var/lib/postgresql/* /var/lib/postgresql/
systemctl start postgresql@12-main
This is running on centaurus and is mounted automatically on boot by a system unit
Refs #129
Mostly LGTM. But what good is encypting a volume, when you leave the encryption password lying around on the hard drive?
(This is meant to make it impossible to rip the drive out of our machine and get to the user data.)
Another option is to not start the PostgreSQL service on boot and run a script on boot where you input the encrypted volume password and then it starts PostgreSQL
Yes, and that should be only once for all volumes ideally (or only have one data volume to begin with). I.e. we also want encryption for any other user data ideally, like Gitea repos, XMPP uploads, remoteStorage files, and so on.
I took another look at this issue, I'm starting to think a full disk encryption setup would make more sense instead of encFS directories, something similar to https://github.com/TheReal1604/disk-encryption-hetzner/blob/master/ubuntu/ubuntu_swraid_lvm_luks.md
Encrypt the Postgresql data dir on the replica (centaurus)to WIP: Encrypt the Postgresql data dir on the replica (centaurus)I have pushed a proof of concept that creates a
/var/lib/local/encrypted_data
encfs dir and mounts it to/mnt/data
. This is done using a Systemd unit that prompts for the encryption password, and then starts the Postgresql unit. See the last commitEdit: I have also found a way to automate the encfs dir creation
I think using a service unit for encfs may not be the right approach for this. It is not a running service, like e.g. postgres, but only mounts a directory once.
Here's a nice overview of the different types of units available:
https://www.computernetworkingnotes.com/linux-tutorials/systemd-units-explained-with-types-and-states.html
I think it would be interesting to try path-based activation of units. This would basically map 1:1 to the human understanding of "start the postgres service as soon as path /mnt/data/postgres" becomes available.
BTW, I just noticed that encfs and gitea are the only two cookbooks using an underscore as space (
kosmos_encfs
), while all the others use a hyphen (e.g.kosmos-postgresql
).I just tried this branch by adding the recipes for a postgres master and encfs to the Vagrant config's runlist. However, Chef runs fail, claiming there's no
postgres
user:I cannot find this user being created in a site-cookbook either.
... adding a postgres system user to the default recipe fixes the problem. However, when trying to unlock encfs, it does not accept the password from the data bag:
I think this code is probably too prone to errors:
Edit: also, a reboot makes the Postgres service fail, instead of wait:
I'm going to try to use the path as trigger instead and actually make it wait until the path exists.
I keep running into issues with the code here. There's actually no cluster created with the correct datadir, but all the files are created in the default directory. So starting the process later fails with it complaining that the datadir is not a valid cluster directory. However, trying
pg_createcluster
then correctly fails, stating that the cluster config already exists.All solved! I have everything running correctly now, with the cluster created in the encrypted data dir, and the services started by path units.
@greg I'm not experienced with writing Chef resources, but I think a resource in the encfs cookbook would make most sense, so that you simply describe that you want to wait for the encrypted dir to start a certain systemd service in the recipe of the respective service.
That is, for Postgres e.g., we'd only do something along the lines of:
I have added a template for this to the encfs site cookbook, which looks like this:
... I had to fork the postgresql cookbook in order to add the possibility to correctly use custom data dirs on Debian-based systems:
9389178e11
I have added the site cookbook as a git submodule. So when you pull the branch, just do a
git submodule update --init
.I have pushed everything. See new commits.
WIP: Encrypt the Postgresql data dir on the replica (centaurus)to WIP: Encrypt PostgreSQL data directory@ -44,0 +46,4 @@
# This service is a dependency that will auto-start our cluster service on
# boot if it's enabled, so we disable it explicitly
service "postgresql" do
action :disable
postgresql
is a dummy service, it only runs/bin/true
. The service to disable is the content of thepostgresql_service
variable (postgresql@12-main
), so this can be moved aboveWIP: Encrypt PostgreSQL data directoryto Encrypt PostgreSQL data directory