[Systems] Disk array issues on cloud9.fsf.org affecting sunjammer

[Ruben]

On 5/22/20 11:21 AM, Bernie Innocenti wrote:
>> * The storage is self-encrypted using Luks. This should work
>> transparently to you, and the only requirement is to keep cryptsetup and
>> dmsetup installed. You can ask me to expand on this if you are curious.
> 
> I'm curious: how does the system read /boot/keyscript.sh before / is 
> mounted?
> 
> My guess: it's copied into initrd, which is somehow available to kvm 
> outside the VM.

It is in the initrd. The initrd is not directly available on the
outside, instead there is a grub payload that has the key, mounts the
volume, and chainloads the kernel/initrd. The grub payload is stored in
a local luks volume in the host (this one needs manual unlocking when we
reboot the hosts). A bit unusual I guess :)

> And so this calls for another question: are the keys inaccessible to 
> someone who steals the entire drive?

Yes, the keys are only stored inside the encrypted volumes, and on a
luks volume in the hosts (and on a sysadmin password database that is
gpg encryted). It has the second benefit in that the data is encrypted
before being sent to network storage (ceph) so if you either attach to
our switches or steal the ceph disks you will get nothing.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20200523/92b81670/attachment.sig>