Introduction
BMC drive encryption using phoenixNAP EMP (Encryption Management Platform) provides the necessary data security for your Bare Metal Cloud drive. The EMP platform serves as a key management server, ensuring encryption information is not stored on the drive.
Drive unlocking happens upon every reboot. In case of a compromise, you revoke permissions through the EMP platform, and the drive stays safe.
This three-part tutorial explains how to set up BMC drive encryption with an automated Python script using EMP.
Part 1: Pre-setup
The pre-setup includes all the steps required to register for an EMP account and generate client certificates.
1. Get EMP Account
If you already have an EMP account, skip this step. Otherwise, create an EMP account:
1. Go to https://emp.phoenixnap.com/.
2. Click SIGN UP to register an account.
3. Input your registration information and choose a strong password of at least 14 characters.
Click SIGN UP to proceed.
4. Choose the desired account name and click Submit Request to create a new account.
5. Wait for the administrator's consent through email. When the account receives approval, log in and proceed to the next step.
2. Create Group
After the account is approved, create a group, and add an EMP application.
1. Navigate to the Groups tab on the left.
2. Click the plus icon to add a new group:
4. Set a group title and Save.
5. The dashboard displays the newly created group page. Click the New App button to add a new application.
6. Name the app, scroll to the bottom and click Save.
7. A confirmation message for the app creation appears. Copy and save the app UUID for the next step.
3. Generate Private Key and Certificate
Perform all the following steps on the Bare Metal Cloud server machine. SSH into the BMC server with:
ssh -i <path to id_rsa> ubuntu@<public IP>
The <path to id_rsa>
is the path to your identity file. Normally, the file path is /.ssh/id_rsa.
Use the openssl command to generate the private key and certificate pair through the terminal.
1. To generate the private key, run:
openssl genrsa -out <key name>.key
2. Use the private key to generate the certificate:
openssl req -new -x509 -key <key name>.key -out <certificate name>.cert -days <number of days>
Fill out the requested information. For the Common Name, put the UUID of the EMP application.
4. Upload Certificate
Upload the generated certificate to the EMP app.
1. Navigate to the Apps tab on the left and locate the application.
2. Change the authentication method to Certificate Based:
3. Upload the generated certificate and update the changes:
4. Lastly, edit the app interface and change it to KMIP by clicking the text next to the app name:
Note: Learn everything you need to know about key management and encpryption key management best practices .
Part 2: Disk Encryption
The following steps take place on the server machine.
1. Install PyKMIP
Install the PyKMIP library using the pip package manager.
1. Update and upgrade the system:
sudo apt update && sudo apt upgrade
2. Install pip for Python 3 with the following command:
sudo apt install python3-pip
3. Upgrade pip:
pip3 install --upgrade pip
4. Install the PyKMIP module by running:
sudo -H pip3 install pykmip
The library helps create, activate, and fetch the key for encrypting the device.
2. Create and Fetch Key
The Python script helps generate and activate a security object connected to the EMP app. The key encrypts the drive.
1. Create a pykmip.conf file with the following information:
[client]
host=emp.phoenixnap.com
port=5696
ssl_version=PROTOCOL_TLSv1_2
certfile=<path to the generated certificate>/<certificate name>
keyfile=<path to the generated key>/<key name>
ca_certs=<path to the signed certificate>/<certificate name>
do_handshake_on_connect=True
suppress_ragged_eofs=True
The configuration file links to three security objects:
- keyfile. The generated private key.
- certfile. The certificate created using the private key.
- ca_certs. A certificate signed by the Certificate Authority.
The script uses the pykmip.conf configuration file to establish a secure and verified connection with the EMP application.
2. Create a custom Python script using a Python editor and give the script a name. Add the following code:
# Import libraries
from kmip.pie import client
from kmip import enums
# Establish connection
c = client.ProxyKmipClient(config_file="<path to conf file>")
# Create key
with c:
key_id = c.create(
enums.CryptographicAlgorithm.AES,
256,
name='Test Key',
cryptographic_usage_mask=[
enums.CryptographicUsageMask.ENCRYPT,
enums.CryptographicUsageMask.DECRYPT
]
)
# Activate key
c.activate(key_id)
# Get key
key = c.get(key_id)
print(key)
The script establishes a connection based on the contents of the pykmip.conf file. Make sure to change the path to the location of your configuration file.
When the client creates a connection, the script generates a key called Test Key. The parameters describe the key object, as well as the intended usage.
3. Run the script to generate the key object:
python3 <script name>.py
The output of the script shows the key. The code generated the security object in the EMP application successfully.
4. Open the security object by navigating to the Security Objects tab on the left. Open the key object and copy the UUID:
5. Using the UUID of the key, create a Python script named key.py to fetch the key. Insert the following code, adding the UUID of the security object in line 4:
from kmip.pie import client
c = client.ProxyKmipClient(config_file="<path to pykmip.conf file>")
with c:
key = c.get('<uuid of security object>')
print(key)
3. Encrypt the Device Using LUKS and CryptSetup
This part creates a file container and encrypts it using LUKS encryption with the key fetched from the EMP platform.
Note: The cryptsetup
tool is required to complete this step of the setup process. In case you do not have cryptsetup
installed, run sudo apt install cryptsetup-bin
to install the package.
1. Create an encrypted file container using the dd command:
dd of=secretfs bs=1G count=0 seek=2
2. Change the container permission to 600 using the chmod command:
sudo chmod 600 secretfs
3. Attach the file container to a loop device with the losetup
command:
sudo losetup /dev/loop101 secretfs
4. Using the key.py script, format the loop device using cryptsetup
and luksFormat
:
python3 key.py | sudo cryptsetup -y luksFormat /dev/loop101
This command encrypts the device using LUKS encryption with the key stored in EMP.
5. Open the encrypted file container on the loop device using the key:
python3 key.py | sudo cryptsetup luksOpen /dev/loop101 secretfs
The device now opens using the key stored in EMP.
4. Create File System on the Device
Build the file system on the encrypted device container, map the encrypted file system, and mount the device.
1. Format the disk using the mkfs
command:
sudo mkfs.ext4 /dev/mapper/secretfs
2. Make a mount point for the file system:
sudo mkdir /mnt/encrypted
3. Mount the disk:
sudo mount /dev/mapper/secretfs /mnt/encrypted
4. Check that the device mounted:
df | grep secretfs
5. Reboot:
sudo reboot
Part 3: Make On-Boot Script
After rebooting, the disk automatically unmounts. The steps below explain how to manually mount the device after a restart. The same steps unlock and mount the disk in the automated on-boot script.
1. Manual Unlock and Mount
The following commands open and mount the disk:
1. Attach the loop device to a file container:
sudo losetup /dev/loop101 secretfs
2. Open the device using the key:
python3 key.py | sudo cryptsetup luksOpen /dev/loop101 secretfs
3. Mount the device:
sudo mount /dev/mapper/secretfs /mnt/encrypted
4. Check that the device mounted using the df
command:
df | grep secretfs
2. Automated Unlock and Mount
The last step is to automate the previous commands to run on-boot. The key is grabbed from the EMP platform automatically, which helps unlock and mount the disk on every reboot. This step also ensures that the key is not stored anywhere on the machine.
1. Create a service in the /etc/init.d folder. Name the file without any extensions. For example, if you use the vim editor and name the service automount, run:
sudo vim /etc/init.d/automount
2. Add the following lines of code:
#!/usr/bin/env python3
### BEGIN INIT INFO
# Provides: <service name>
# Required-Start: $ALL
# Should-Start:
# Required-Stop:
# Should-Stop:
# Default-Start: 2 3 5
# Default-Stop:
# Description: Automated LUKS Unlock
### END INIT INFO
from kmip.pie import client
import subprocess
import os
from requests import get, ConnectionError, Timeout
# Change directory to the location of secretfs
os.chdir('<path to secretfs>')
# First part: Establish a client connection and fetch key
try:
request = get("https://emp.phoenixnap.com", timeout=60)
except(ConnectionError, Timeout):
print("Connection error, retrying...")
c = client.ProxyKmipClient(config_file="./pykmip.conf")
with c:
SECRET = str(c.get('<uuid security object>'))
print("Success! Unlocking and mounting the device.")
# Second part: Automating the commands to attach, unlock and mount the device
LUKS_DEVICE = "/dev/loop101"
LUKS_DEVICE_MAP = "secretfs"
LUKS_DEVICE_MOUNT_POINT = "/mnt/encrypted"
MAPPER = '/dev/mapper/' + LUKS_DEVICE_MAP
subprocess.run(['sudo', 'losetup', LUKS_DEVICE, LUKS_DEVICE_MAP])
ps = subprocess.Popen(('echo', SECRET), stdout=subprocess.PIPE)
subprocess.check_output(('sudo', 'cryptsetup', 'luksOpen', LUKS_DEVICE, LUKS_DEVICE_MAP), stdin=ps.stdout)
subprocess.run(['sudo', 'mount' ,MAPPER ,LUKS_DEVICE_MOUNT_POINT])
The script has two parts:
- The first part are the same lines of code as in the key.py script, which grabs the key from the EMP platform using the UUID of the security object.
- The second part of the script follows the steps from the manual unlock and mount, opening and mounting the encrypted drive.
3. Change the permission to 755 using chmod
to make the service executable:
sudo chmod 755 <service name>
4. Update the service information on the system:
sudo update-rc.d <service name> defaults
The setup of the automated service for unlocking and mounting the device concludes with this step.
5. Reboot the system:
sudo reboot
6. Using the df
command, check to see the device automatically mounted after restart:
df | grep secretfs
In case of a compromise, remove the security object from your EMP account. The next restart of the device cannot fetch the key, and the disk stays locked and secure.
Note: Learn how to provision and secure tokens and secrets in phoenixNAP EMP.
Conclusion
This tutorial demonstrated how to employ the EMP platform as a key management server. Using the Python library PyKMIP, fetching the key from the platform and automating unlocking the device ensures no sensitive information is on the device itself.