Lvm – Encrypted storage for clustered MySQL

clusterencryptionlvm

I have a requirement to provide a highly available MySQL database with encryption-at-rest on a 2.6.32 linux kernel. The 'highly available' part isn't that hard, but the 'with encryption-at-rest' is proving to be a challenge when used in combination with HA.

The key problem comes with mounting the encrypted storage. On all of our other encrypted-at-rest systems there is a command that needs to be run by a human, who is then prompted for the encryption key. This model has a fairly obvious flaw when it comes to a cluster arrangement where services will have to start automatically.

I am currently at a loss over how to provide encryption-at-rest in an HA environment and not also store key passphrases on the same system.

I can see two possible scenarios, either of which will work with my environment but I'm not sure of the details to make them work. Or even if it is possible.

Scenario 1: CLVM & Cluster

A volume is shared between my cluster members.
This volume is set up roughly:
- cryptsetup stuff on the physical device
- LVM stuff on the new crypt-device
Cluster Services are set to not join the cluster automatically, relying on a manual intervention.
Cluster Services are started via command run by a human, which supplies the decryption key, which in turn activates the CLVM stuff.

This way running nodes have access to the CLVM volume so they can start services when told to by the cluster manager. Reboots of nodes will still require a human, and the crypt passphrase is never kept on disk anywhere.

Scenario 2: DRBD & Cluster

A volume is created on each cluster member
cryptsetup stuff is run on the physical device
drbd is configured on top of the crypted device, to replicate it between each node
LVM or a filesystem is placed on top of the drbd volume
Cluster Services are set to not join the cluster automatically, relying on a manual intervention.
Cluster services are started by a human who provides the decryption key, which in turn makes the LVM (or filesystem) visible-but-not-mounted.

As with the CLVM setup, nodes don't join the cluster until they have visibility into the presumably-shared storage.

The thing is, I'm not sure if either of the above work that way. Both assume it's possible to layer an LVM PV on top of an encrypted volume (e.g. pvcreate /dev/mapper/cryptmysql). This may not be possible.

Best Answer

The main challenge seems to be the human intervention for key entry. There is some help to that: dm-crypt has support for the TPM which might be available with your platform. See this IBM blueprint for configuration details. Also LUKS/cryptsetup supports reading a slot key from file / from stdin. If you can store your key safely somewhere (like on a smartcard), this might be a viable option.

As for your question whether you can have an LVM PV on a dm-crypt volume: you can, you just would need a run of pvscan / vgchange -a -y after slot unlocking. We've run this kind of setup with much older Kernels a couple of years ago. In the end, we've abandoned it in favor of the use of SEDs for applications with data-at-rest encryption requirements due to performance reasons (dm-crypt used to employ a single thread per encrypted device at that time, which led to a CPU bottleneck in our setup).

Related Solutions

Ubuntu – Software RAID, LVM, and Encryption Setup Questions

/boot needs to not be encrypted otherwise the boot loader (unless I'm behind the times and one of them supports encrypted volumes) will not be able to ready the Kernel and initrd. It does not need to be encrypted as it should never contain anything other than the kernel, the initrd, and perhaps a few other support files.

The the device that is your LVM PV is encrypted, then /boot will need to be elsewhere: probably a separate RAID volume. If the device used as the PV is not encrypted (instead you encrypted the LV that is to be /) then /boot could be in the LVM except for the GRUB-can't-boot-off-all-RAID-types issue (see below).

Historically /boot had to be near the start of the disk, but modern boot loaders generally remove this requirement. A few hundred Mb should be perfectly sufficient, but with such large drives being standard these days there will be no harm in making it bigger just in case unless you are constrained by trying to fit into a very small device (say, a small SD card in a Pi or similar) as might be the case for an embedded system.

Most boot loaders do not support booting off RAID or if they do they only support booting off RAID1 (where every drive has a copy all the data) "by accident", so create the small partition on all the drives and use a RAID1 array over them. This way /boot is readable as long as at least one drive is in a working state. Make sure the boot loaded installs into the MBR of all four drives on install, otherwise if you BIOS boots off another (due to the first being offline for instance) you will have to mess around getting the loader's MBR onto the other drive(s) at that point rather than it already being there.

Update: As per Nick's comment below, modern boot loaders can deal directly with some forms of encrypted volumes so depending on your target setup there are now less things to worry about.

Linux – Why is mkfs overwriting the LUKS encryption header on LVM on RAID partitions on Ubuntu 12.04

If the device is really named /dev/web2/var, then this implies to me that you are using LVM and the encrypted volume is the var logical volume inside the web2 volume group. That means there is already a device named /dev/mapper/web2-var as well and cryptsetup is probably not overwriting it when you tell it to unlock the volume. Thus, you're formatting the original volume, not the decrypted volume.

I'm not sure why you're not getting an error from cryptsetup though. You may want to file a bug on it. Or at least check if it's automatically renaming the unlocked device to /dev/mapper/web2-var2 or the like.

In the meantime, give the decrypted volume a new name. Try

cryptsetup luksOpen /dev/dm-1 web2-var_crypt