Skip to content

bienkma/luks-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
agent
agent
 
 
config
config
 
 
module
module
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

luks-vault

Getting started

Luks-vault is a simple project to integrate LUKS with Vault hashicorp. It will handle rotation passPhrase key of LUKS and write to the secret vault. We are going to use key slots 0 and 1 to swap a new key and an old key. It can provide a solution to data at rest encryption with low cost by using LUKS and Vault open source.

Prepare

  • A Vault server
  • Agent install to node which are using LUKS to encrypt device
  • Support Unix OS only
  • A server with LUKS device had a slot key 0 or 1 (see config a LUKS device here)

How to build

 docker run --rm \
            -v `pwd`:/go/src/github.com/bienkma/luks-vault \
            -w /go/src/github.com/bienkma/luks-vault \
            golang:1.18 sh -c \
            'GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod=mod -a -installsuffix cgo -o luks-vault main.go'

Installation

  • Install agent
cp luks-vault /usr/local/bin/luks-vault
chmod 755 /usr/local/bin/luks-vault
mkdir -p /var/log/luks-vault
mkdir -p /etc/luks-vault
touch /etc/luks-vault/config.yaml
  • Make config file for agent
vault_address: "http://10.110.32.85:8200"
vault_token: "change_me"
vault_mount_path: "luks/10.110.96.70"
vault_secret_path: "dev/sda"
vault_module_luks: true
device_path: "/dev/sda" # LUKS device
folder_pass_phrase_path: "/etc/data-at-rest"
pid_file_name: "/run/luks-vault.pid"
log_file_name: "/var/log/luks-vault/agent.log"
  • Make /lib/systemd/system/luks-vault.service file
[Unit]
Description=LUKS Vault agent
After=network.target auditd.service
Wants=network.target

[Service]
Type=forking
User=root
Group=root
ExecStart=/usr/local/bin/luks-vault
ExecStop=/bin/kill -3 $MAINPID
PIDFile=/run/luks-vault.pid
ExecStartPost=/bin/sleep 1
WorkingDirectory=/usr/local/bin
RestartSec=15
KillMode=none
PrivateTmp=false
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
Alias=luks-vault.service
  • Make sure systemd has ready load file above
systemctl daemon-reload
systemctl status luks-vault

create secret in vault with field

{
  "created": "2023-06-06T11:46:37.079847+07:00",
  "key": "current_passphrase_on_luks",
  "slot": "1",
  "ttl": "30m"
}
  • Note: ttl valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. slot value have to map with currently luks which you changed by your hand via the command /usr/sbin/cryptsetup -v -q luksAddKey /dev/data/data01 -d /path/to/init-key -S 1

write key to folder to change new key

mkdir -p /etc/data-at-rest
echo "current_passphrase_on_luks" > /etc/data-at-rest/key
chmod 600 /etc/data-at-rest/key

fstab can mount device when server reboot

vi /etc/crypttab
# <target name>	<source device>		<key file>	<options>
data01 /dev/mapper/data-data01 /etc/data-at-rest/key luks

Test and Deploy

systemctl start luks-vault
tail -f /var/log/luks-vault/agent.log
systemctl status luks-vault
systemctl stop luks-vault

License

Apache-2.0 license

About

LUKS Vault

Topics

vault dare hashicorp-vault luks data-at-rest-encryption

Resources

Readme

License

Apache-2.0 license
Activity

Stars

8 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 Latest
Jun 13, 2023

Packages

No packages published

Languages