How to Set Up BMC Drive Encryption Using EMP

Introduction

BMC drive encryption using phoenixNAP EMP (Encryption Management Platform) provides the necessary data security for your Bare Metal Cloud drive. The EMP platform serves as a key management server, ensuring encryption information is not stored on the drive.

Drive unlocking happens upon every reboot. In case of a compromise, you revoke permissions through the EMP platform, and the drive stays safe.

This three-part tutorial explains how to set up BMC drive encryption with an automated Python script using EMP.

BMC Drive Encryption Using EMP

Part 1: Pre-setup

The pre-setup includes all the steps required to register for an EMP account and generate client certificates.

1. Get EMP Account

If you already have an EMP account, skip this step. Otherwise, create an EMP account:

1. Go to https://emp.phoenixnap.com/.

2. Click SIGN UP to register an account.

Sign Up Page

3. Input your registration information and choose a strong password of at least 14 characters.

Sign Up Form

Click SIGN UP to proceed.

4. Choose the desired account name and click Submit Request to create a new account.

Request for new account

5. Wait for the administrator's consent through email. When the account receives approval, log in and proceed to the next step.

2. Create Group

After the account is approved, create a group, and add an EMP application.

1. Navigate to the Groups tab on the left.

2. Click the plus icon to add a new group:

Add New Group

4. Set a group title and Save.

New Group Information

5. The dashboard displays the newly created group page. Click the New App button to add a new application.

Add New App

6. Name the app, scroll to the bottom and click Save.

New App Information

7. A confirmation message for the app creation appears. Copy and save the app UUID for the next step.

New App Created with UUID

3. Generate Private Key and Certificate

Perform all the following steps on the Bare Metal Cloud server machine. SSH into the BMC server with:

ssh -i <path to id_rsa> ubuntu@<public IP>

The <path to id_rsa> is the path to your identity file. Normally, the file path is /.ssh/id_rsa.

Use the openssl command to generate the private key and certificate pair through the terminal.

1. To generate the private key, run:

openssl genrsa -out <key name>.key
Create Private Key with OpenSSL

2. Use the private key to generate the certificate:

openssl req -new -x509 -key <key name>.key -out <certificate name>.cert -days <number of days>
Create Certificate with Private Key

Fill out the requested information. For the Common Name, put the UUID of the EMP application.

4. Upload Certificate

Upload the generated certificate to the EMP app.

1. Navigate to the Apps tab on the left and locate the application.

2. Change the authentication method to Certificate Based:

Change Authentication Method

3. Upload the generated certificate and update the changes:

Upload Certificate

4. Lastly, edit the app interface and change it to KMIP by clicking the text next to the app name:

App Interface Change

Note: Learn everything you need to know about key management and encpryption key management best practices .

Part 2: Disk Encryption

The following steps take place on the server machine.

1. Install PyKMIP

Install the PyKMIP library using the pip package manager.

1. Update and upgrade the system:

sudo apt update && sudo apt upgrade

2. Install pip for Python 3 with the following command:

sudo apt install python3-pip

3. Upgrade pip:

pip3 install --upgrade pip

4. Install the PyKMIP module by running:

sudo -H pip3 install pykmip

The library helps create, activate, and fetch the key for encrypting the device.

2. Create and Fetch Key

The Python script helps generate and activate a security object connected to the EMP app. The key encrypts the drive.

1. Create a pykmip.conf file with the following information:

[client]
host=emp.phoenixnap.com
port=5696
ssl_version=PROTOCOL_TLSv1_2
certfile=<path to the generated certificate>/<certificate name>
keyfile=<path to the generated key>/<key name>
ca_certs=<path to the signed certificate>/<certificate name>
do_handshake_on_connect=True
suppress_ragged_eofs=True

The configuration file links to three security objects:

  • keyfile. The generated private key.
  • certfile. The certificate created using the private key.
  • ca_certs. A certificate signed by the Certificate Authority.

The script uses the pykmip.conf configuration file to establish a secure and verified connection with the EMP application.

2. Create a custom Python script using a Python editor and give the script a name. Add the following code:

# Import libraries
from kmip.pie import client
from kmip import enums
# Establish connection
c = client.ProxyKmipClient(config_file="<path to conf file>")
# Create key
with c:
    key_id = c.create(
        enums.CryptographicAlgorithm.AES,
        256,
        name='Test Key',
        cryptographic_usage_mask=[
            enums.CryptographicUsageMask.ENCRYPT,
            enums.CryptographicUsageMask.DECRYPT
        ]
    )
# Activate key
    c.activate(key_id)
# Get key
    key = c.get(key_id)
    print(key)

The script establishes a connection based on the contents of the pykmip.conf file. Make sure to change the path to the location of your configuration file.

When the client creates a connection, the script generates a key called Test Key. The parameters describe the key object, as well as the intended usage.

3. Run the script to generate the key object:

python3 <script name>.py

The output of the script shows the key. The code generated the security object in the EMP application successfully.

4. Open the security object by navigating to the Security Objects tab on the left. Open the key object and copy the UUID:

Test Key Security Object UUID

5. Using the UUID of the key, create a Python script named key.py to fetch the key. Insert the following code, adding the UUID of the security object in line 4:

from kmip.pie import client
c = client.ProxyKmipClient(config_file="<path to pykmip.conf file>")
with c:
    key = c.get('<uuid of security object>')
    print(key)

3. Encrypt the Device Using LUKS and CryptSetup

This part creates a file container and encrypts it using LUKS encryption with the key fetched from the EMP platform.

Note: The cryptsetup tool is required to complete this step of the setup process. In case you do not have cryptsetup installed, run sudo apt install cryptsetup-bin to install the package.

1. Create an encrypted file container using the dd command:

dd of=secretfs bs=1G count=0 seek=2

2. Change the container permission to 600 using the chmod command:

sudo chmod 600 secretfs

3. Attach the file container to a loop device with the losetup command:

sudo losetup /dev/loop101 secretfs

4. Using the key.py script, format the loop device using cryptsetup and luksFormat:

python3 key.py | sudo cryptsetup -y luksFormat /dev/loop101

This command encrypts the device using LUKS encryption with the key stored in EMP.

5. Open the encrypted file container on the loop device using the key:

python3 key.py | sudo cryptsetup luksOpen /dev/loop101 secretfs

The device now opens using the key stored in EMP.

4. Create File System on the Device

Build the file system on the encrypted device container, map the encrypted file system, and mount the device.

1. Format the disk using the mkfs command:

sudo mkfs.ext4 /dev/mapper/secretfs

2. Make a mount point for the file system:

sudo mkdir /mnt/encrypted

3. Mount the disk:

sudo mount /dev/mapper/secretfs /mnt/encrypted

4. Check that the device mounted:

df | grep secretfs

5. Reboot:

sudo reboot

Part 3: Make On-Boot Script

After rebooting, the disk automatically unmounts. The steps below explain how to manually mount the device after a restart. The same steps unlock and mount the disk in the automated on-boot script.

1. Manual Unlock and Mount

The following commands open and mount the disk:

1. Attach the loop device to a file container:

sudo losetup /dev/loop101 secretfs

2. Open the device using the key:

python3 key.py | sudo cryptsetup luksOpen /dev/loop101 secretfs

3. Mount the device:

sudo mount /dev/mapper/secretfs /mnt/encrypted

4. Check that the device mounted using the df command:

df | grep secretfs

2. Automated Unlock and Mount

The last step is to automate the previous commands to run on-boot. The key is grabbed from the EMP platform automatically, which helps unlock and mount the disk on every reboot. This step also ensures that the key is not stored anywhere on the machine.

1. Create a service in the /etc/init.d folder. Name the file without any extensions. For example, if you use the vim editor and name the service automount, run:

sudo vim /etc/init.d/automount

2. Add the following lines of code:

#!/usr/bin/env python3
### BEGIN INIT INFO
# Provides:        <service name>
# Required-Start: $ALL
# Should-Start: 
# Required-Stop:
# Should-Stop:
# Default-Start:  2 3 5
# Default-Stop:
# Description:    Automated LUKS Unlock
### END INIT INFO
from kmip.pie import client
import subprocess
import os
from requests import get, ConnectionError, Timeout

# Change directory to the location of secretfs
os.chdir('<path to secretfs>')

# First part: Establish a client connection and fetch key
try:
    request = get("https://emp.phoenixnap.com", timeout=60)
except(ConnectionError, Timeout):
    print("Connection error, retrying...")
c = client.ProxyKmipClient(config_file="./pykmip.conf")
with c:
    SECRET = str(c.get('<uuid security object>'))
    print("Success! Unlocking and mounting the device.")

# Second part: Automating the commands to attach, unlock and mount the device
LUKS_DEVICE = "/dev/loop101"
LUKS_DEVICE_MAP = "secretfs"
LUKS_DEVICE_MOUNT_POINT = "/mnt/encrypted"
MAPPER = '/dev/mapper/' + LUKS_DEVICE_MAP
subprocess.run(['sudo', 'losetup', LUKS_DEVICE, LUKS_DEVICE_MAP])
ps = subprocess.Popen(('echo', SECRET), stdout=subprocess.PIPE)
subprocess.check_output(('sudo', 'cryptsetup', 'luksOpen', LUKS_DEVICE, LUKS_DEVICE_MAP), stdin=ps.stdout)
subprocess.run(['sudo', 'mount' ,MAPPER ,LUKS_DEVICE_MOUNT_POINT])

The script has two parts:

  • The first part are the same lines of code as in the key.py script, which grabs the key from the EMP platform using the UUID of the security object.
  • The second part of the script follows the steps from the manual unlock and mount, opening and mounting the encrypted drive.

3. Change the permission to 755 using chmod to make the service executable:

sudo chmod 755 <service name>

4. Update the service information on the system:

sudo update-rc.d <service name> defaults

The setup of the automated service for unlocking and mounting the device concludes with this step.

5. Reboot the system:

sudo reboot

6. Using the df command, check to see the device automatically mounted after restart:

df | grep secretfs

In case of a compromise, remove the security object from your EMP account. The next restart of the device cannot fetch the key, and the disk stays locked and secure.

Conclusion

This tutorial demonstrated how to employ the EMP platform as a key management server. Using the Python library PyKMIP, fetching the key from the platform and automating unlocking the device ensures no sensitive information is on the device itself.

Was this article helpful?
YesNo
Milica Dancuk
Milica Dancuk is a technical writer at phoenixNAP with a passion for programming. With a background in Electrical Engineering and Computing, coupled with her teaching experience, she excels at simplifying complex technical concepts in her writing.
Next you should read
phoenixNAP EMP Account Provisioning and Overview
May 6, 2021

Get acquainted with phoenxNAP's EMP and learn how to create, manage, and maintain accounts and users.
Read more
Bare Metal Cloud Portal Quick Start Guide
March 23, 2021

Follow the sections in this Bare Metal Cloud Portal guide to learn how to navigate through the portal. This guide contains everything you need to get started using BMC servers.
Read more
How to Deploy a Bare Metal Cloud Server
March 23, 2021

This article shows how to deploy a new Bare Metal Cloud server in nine simple steps. Follow the instructions to create a server and view server details successfully.
Read more
How to Set Up Bare Metal Cloud Remote Access VPN
December 17, 2020

Set up remote access via VPN from your desktop/mobile device to a bare metal cloud server. Additionally, learn how to connect two BMC servers through VPN, as well as a BMC server and on-premise equipment.
Read more