We have
a project where all data on DomU's will be sensitive. There
will be multiple DomU's spawned depending on needs. It would
seem the best way to ensure all sensitive data ie. DomU disks
are encrypted we've been trying to use LUKS/Truecrypt on the
Control Domain disks. The XCP hosts are mobile and if one was
to go missing we'd like to know that the data isn't going to
be available. We were thinking of a hardware key or a
keystore.
The
problem is that the XCP/Xenserver 6.2 kernel doesn't seem to
have enough crypto support for encrypting the disks.
------
Luks
refuses to encrypt.. I've tried multiple ciphers listed in
/proc/crypto to no avail.
Check
kernel for support for the aes-cbc-essiv:sha256 cipher spec
and verify that /dev/sda2 contains at least 133 sectors.
------
Truecrypt
encrypts (as long as I use IT'S encryption and not the kernel)
but I get a device-mapper ioctl error when trying to mount it.
echo 4
| truecrypt -t -c --volume-type=normal -m=nokernelcrypto
--encryption=AES --hash=SHA-512 -p ""
--keyfiles="/root/secure.key" --random-source=/dev/urandom
--quick /dev/sda2
Done:
100.000% Speed: 5.5 GB/s Left: 0 s
Error: device-mapper: reload ioctl failed: Invalid
argument
Command failed
Has
anyone encrypted any local directories on Xenserver/XCP
successfully? Or do you have other suggestions.
Grant McWilliams
http://grantmcwilliams.com/
