Re: [Xen-API] Xenserver/XCP encrypted disk

Sat, 06 Jul 2013 04:13:57 -0700 

Hello,
I can only report from my experiences with XS 6.0.2, but there are all neccessary crypto modules available and crypto is working: 

# cat /proc/crypto |grep name
name         : sha256
name         : sha224
name         : cbc(aes)
name         : cbc(aes)
name         : aes
name         : aes
name         : stdrng
name         : crc32c
name         : md5


I've created a an encrypted LVM container (in "xenserver" words: storage 
repository) in a physical volume on dom0. I mount this LVM container 
with luks on startup,
XenServer attaches this LVM container and it shows up in XenCenter as 
additional, normal Local Storage where I can put domU's in.


Best regards
  Thimo

Am 28.06.2013 21:39, schrieb Grant McWilliams:

We have a project where all data on DomU's will be sensitive. There 
will be multiple DomU's spawned depending on needs. It would seem the 
best way to ensure all sensitive data ie. DomU disks are encrypted 
we've been trying to use LUKS/Truecrypt on the Control Domain disks. 
The XCP hosts are mobile and if one was to go missing we'd like to 
know that the data isn't going to be available. We were thinking of a 
hardware key or a keystore.



The problem is that the XCP/Xenserver 6.2 kernel doesn't seem to have 
enough crypto support for encrypting the disks.


------

Luks refuses to encrypt.. I've tried multiple ciphers listed in 
/proc/crypto to no avail.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and 
verify that /dev/sda2 contains at least 133 sectors.


------

Truecrypt encrypts (as long as I use IT'S encryption and not the 
kernel) but I get a device-mapper ioctl error when trying to mount it.



echo 4 | truecrypt -t -c --volume-type=normal -m=nokernelcrypto 
--encryption=AES --hash=SHA-512 -p "" --keyfiles="/root/secure.key" 
--random-source=/dev/urandom --quick /dev/sda2


Done: 100.000%  Speed:  5.5 GB/s  Left: 0 s

Error: device-mapper: reload ioctl failed: Invalid argument
Command failed



Has anyone encrypted any local directories on Xenserver/XCP 
successfully? Or do you have other suggestions.


Grant McWilliams
http://grantmcwilliams.com/


_______________________________________________
Xen-api mailing list
Xen-api@lists.xen.org
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api



_______________________________________________
Xen-api mailing list
Xen-api@lists.xen.org
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api






















					Reply via email to