[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] Xenserver/XCP encrypted disk

  • To: xen-api@xxxxxxxxxxxxx
  • From: George Shuklin <george.shuklin@xxxxxxxxx>
  • Date: Sat, 29 Jun 2013 23:40:35 +0400
  • Delivery-date: Sat, 29 Jun 2013 19:40:55 +0000
  • List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>

You want to protect dom0 data or domU? If domU, there is two solution without putting too much burden on dom0.

1) Encrypt data in domU. dom0 store and serve already encrypted data without special efforts.
2) Put all data on single VM, which store encrypted data and provide unencrypted SR to dom0 (via NFS or LVMoISCS).

28.06.2013 23:39, Grant McWilliams пишет:
We have a project where all data on DomU's will be sensitive. There will be multiple DomU's spawned depending on needs. It would seem the best way to ensure all sensitive data ie. DomU disks are encrypted we've been trying to use LUKS/Truecrypt on the Control Domain disks. The XCP hosts are mobile and if one was to go missing we'd like to know that the data isn't going to be available. We were thinking of a hardware key or a keystore. 

The problem is that the XCP/Xenserver 6.2 kernel doesn't seem to have enough crypto support for encrypting the disks. 

Luks refuses to encrypt.. I've tried multiple ciphers listed in /proc/crypto to no avail.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda2 contains at least 133 sectors.

Truecrypt encrypts (as long as I use IT'S encryption and not the kernel) but I get a device-mapper ioctl error when trying to mount it.

echo 4 | truecrypt -t -c --volume-type=normal -m=nokernelcrypto --encryption=AES --hash=SHA-512 -p "" --keyfiles="/root/secure.key" --random-source=/dev/urandom --quick /dev/sda2

Done: 100.000%  Speed:  5.5 GB/s  Left: 0 s 

Error: device-mapper: reload ioctl failed: Invalid argument
Command failed

Has anyone encrypted any local directories on Xenserver/XCP successfully? Or do you have other suggestions. 

Grant McWilliams

Xen-api mailing list

Xen-api mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.