Differences between revisions 12 and 17 (spanning 5 versions)

GlusterFS Encryption

Keys

Make an encryption key on each of the servers

On gluster01

mkdir /etc/ssl/glusterfs
cd /etc/ssl/glusterfs
openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem

Certificates Sign a certificate using the key

openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem

# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)

-  ⇤ ← Revision 12 as of 2017-12-24 17:24:10 → 
  Size: 2304
  Editor: Kristian Kallenberg
  Comment:
+   ← Revision 17 as of 2017-12-24 17:31:08 → ⇥
  Size: 1452
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 4:
-Keep your keys safe. I personally generate my keys on a special server which is only powered up when I need to make a new key or sign a certificate. Otherwise that system is always powered down. This way I can be sure that my keys are safe.
+Make an encryption key on each of the servers
 Line 6:
-On each of the Glusterfs servers and clients run.
+On gluster01
 Line 10:
-openssl genrsa -out glusterfs.key 2048
+openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
-Line 13:
+Line 14:
-== Certificates ==
Now sign certificates using those keys. Replace the `CN` so it matches the host you are siging the certificate for.
+Certificates 
Sign a certificate using the key
-Line 16:
+Line 17:
-openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
+openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
-Line 19:
+Line 20:
-== Compile ==

Compile all the certificates into one large file
-Line 23:
+Line 21:
-scp gluster01:/etc/ssl/glusterfs/gluster.pem gluster01.pem
scp gluster02:/etc/ssl/glusterfs/gluster.pem gluster02.pem
scp gluster03:/etc/ssl/glusterfs/gluster.pem gluster03.pem
scp gluster04:/etc/ssl/glusterfs/gluster.pem gluster04.pem
scp glusterclient01:/etc/ssl/glusterfs/gluster.pem glusterclient01.pem
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs.ca
}}}

{{{#!highlight bash
#!/bin/sh
if [ ! -e /etc/ssl/glusterfs ]
then
        mkdir -p /etc/ssl/glusterfs
fi
cd /etc/ssl/glusterfs
-Line 53:
+Line 36:
-cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca
+cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca