Differences between revisions 16 and 31 (spanning 15 versions)

GlusterFS Server Encryption

The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.

Keys and Certificates

Make an encryption key and make sure to set the CN to match the name of the host. Repeat this on the client and on each of the servers.

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem

Certificate Authorities

Server

Compile all the certificates in one place and concatenate them into one file glusterfs.ca

cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

Client

and glusterfs-client.ca.

Copy glusterfs.ca to /etc/ssl/glusterfs.ca on all servers. Copy glusterfs-client.ca to /etc/ssl/glusterfs.ca on the client.

Activate Encryption

touch /var/lib/glusterd/secure-access

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)

-  ⇤ ← Revision 16 as of 2017-12-24 17:29:30 → 
  Size: 1552
  Editor: Kristian Kallenberg
  Comment:
+   ← Revision 31 as of 2017-12-24 20:02:54 → ⇥
  Size: 1048
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-= GlusterFS Encryption =
+= GlusterFS Server Encryption =
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
-Line 3:
+Line 4:
-== Keys ==
On each of the gluster servers and on the client manKeep your keys safe. I personally generate my keys on a special server which is only powered up when I need to make a new key or sign a certificate. Otherwise that system is always powered down. This way I can be sure that my keys are safe.
+== Keys and Certificates ==
Make an encryption key and make sure to set the `CN` to match the name of the host. Repeat this on the client and on each of the servers.
{{{
cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
}}}
-Line 6:
+Line 12:
-On gluster01
+== Certificate Authorities ==

=== Server ===
Compile all the certificates in one place and concatenate them into one file `glusterfs.ca`
-Line 8:
+Line 17:
-mkdir /etc/ssl/glusterfs
cd /etc/ssl/glusterfs
openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
}}}
{{{
# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
-Line 30:
+Line 18:
-# client certificates authorities
-Line 33:
+Line 20:
+=== Client ===
 and `glusterfs-client.ca`.
Copy `glusterfs.ca` to `/etc/ssl/glusterfs.ca` on all servers. Copy `glusterfs-client.ca` to `/etc/ssl/glusterfs.ca` on the client.

== Activate Encryption ==
{{{
touch /var/lib/glusterd/secure-access
}}}