![]() ![]() Use the cryptsetup command with the luksAddKey option to add the LUKS key for the CMDB disk, for example: ~]# cryptsetup luksAddKey /dev/mapper/FSIEM3500F-phx_cmdb /etc/enccmdbkey Step 1e: Add a New Key to LUKS Disk for /cmdbĭd if=/dev/random of=/etc/enccmdbkey bs=512 count=1 The following command can be used to dump information about different slots. There are a total of ~ 32 keyslots for additional keys, which can be used to provide multiple admins with the ability to unlock the disks, or can be used for periodic rotation of keys. This will overwrite data on /dev/mapper/FSIEM3500F-phx_cmdb irrevocably.Īre you sure? (Type 'yes' in capital letters): YESĮnter passphrase for /dev/mapper/FSIEM3500F-phx_cmdb: ![]() This key is stored in Slot 0 of the ~]# cryptsetup luksFormat /dev/mapper/FSIEM3500F-phx_cmdb When you run the cryptsetup luksFormat command, you must provide a passphrase that protects the encryption key for the disk. ![]() Wipefs example install#Step 1c: Set up LUKS Format Disk Encryption for /cmdb Diskįirst, you will need to install cryptsetup utility using yum install -y cryptsetup. Wipefs -all /dev/mapper/FSIEM3500F-phx_querydata Wipefs -all /dev/mapper/FSIEM3500F-phx_svn Use the wipefs command to clear the existing filesystem and partition information from the CMDB disk, for example: wipefs -all /dev/mapper/FSIEM3500F-phx_cmdb Step 1b: Wipe the CMDB, SVN, Querydata Disks of Previous Filesystem and Partition Information Use the umount command to unmount the CMDB, SVN, Querydata filesystems, for example: umount /cmdb ![]() Step 1a: Unmount /cmdb, /svn, /querydata Filesystem Run configFSM.sh as usual, and complete the system install.Ĭonfigure local storage with 'hardware' keyboard, which will mount / data.īackup the files from /data to another disk (they will be small). Open the encrypted disk after providing a passphrase for further operations, which provides a /dev/mapper/XYZ device.Ĭreate an entry in /etc/crypttab, which will open the encrypted disk using the Slot 1 key file you saved above at boot time.Ĭreate an xfs filesystem on the opened disk in /dev/mapper/XYZ.Ĭreate an /etc/fstab entry to mount the opened disk above to a named path ( /cmdb, /svn, or /querydata, as the case may be). Generate a new encryption key for Slot 1, and save this into a file on /etc.Īdd another LUKS key into Slot 1 using the key from a file on /etc. Set up a LUKS formatted disk, which prompts you for a passphrase that protects the encryption keys in Slot 0. Wipe the filesystem of existing filesystem and partition table. Here is a quick overview of the steps:įor each mounted disk, ( /cmdb, /svn, /querydata), complete the following steps: If you have to perform these on an existing installation of FortiSIEM, then you must have additional disks of the same capacity to encrypt and copy the data to it. This avoids the need for additional disks. It is best to perform these steps on a fresh installation prior to initializing the product with configFSM.sh. To verify if the package is installed, run the following command: Note 3: The cryptsetup command is not included in FortiSIEM. The less secure alternative is to use keys that are not protected by a passphrase and stored in a file on the root partition. If you want strong security, then you must protect encryption keys with a passphrase and that requires a human to type them and mount the “opened” disks. Note 2: Disk encryption key management is an operational challenge. The root disk contains binaries and some internal system and application logs, not data. Note 1: We do not recommend encrypting the root disk as it presents an operational challenge during boot up to provide a passphrase. If you are using NFS or Elastic storage, you must perform additional steps for the actual data directories on these servers in addition to the supervisor ( /cmdb, /svn). Wipefs example how to#The steps here show how to encrypt /cmdb, /svn, and /data disks on a FortiSIEM Hardware 3500F supervisor node with local disk for EventDB ( /data). Disk Encryption of Data on FortiSIEM Hardware Supervisor | FortiSIEM 6.6.0 | Fortinet Documentation Libraryĭisk Encryption of Data on FortiSIEM Supervisor ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |