Differences between revisions 2 and 15 (spanning 13 versions)

GlusterFS Encryption

Keys

Keep your keys safe. I personally generate my keys on a special server which is only powered up when I need to make a new key or sign a certificate. Otherwise that system is always powered down. This way I can be sure that my keys are safe.

generate_gluster_certificates.sh

   1 #!/bin/sh
   2 if [ ! -e /etc/ssl/glusterfs ]
   3 then
   4         mkdir -p /etc/ssl/glusterfs
   5 fi
   6 cd /etc/ssl/glusterfs
   7 # create the server keys
   8 openssl genrsa -out gluster01.key 2048
   9 openssl genrsa -out gluster02.key 2048
  10 openssl genrsa -out gluster03.key 2048
  11 openssl genrsa -out gluster04.key 2048
  12 # sign the server certificates
  13 openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
  14 openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
  15 openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
  16 openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
  17 # create the client keys
  18 openssl genrsa -out glusterclient01.key 2048
  19 # sign the client certificates
  20 openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
  21 # server certificates authorities
  22 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
  23 # client certificates authorities
  24 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)

-  ⇤ ← Revision 2 as of 2017-12-24 16:50:20 → 
  Size: 843
  Editor: Kristian Kallenberg
  Comment:
+   ← Revision 15 as of 2017-12-24 17:27:40 → ⇥
  Size: 1468
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
-== Servers ==
+== Keys ==
Keep your keys safe. I personally generate my keys on a special server which is only powered up when I need to make a new key or sign a certificate. Otherwise that system is always powered down. This way I can be sure that my keys are safe.
-Line 5:
+Line 6:
-Once all this works we will continue by adding TLS encryption to the setup.

=== Keys ===
On each of the Glusterfs servers run.
{{{
mkdir /etc/ssl/glusterfs
+`generate_gluster_certificates.sh`
{{{#!highlight bash
#!/bin/sh
if [ ! -e /etc/ssl/glusterfs ]
then
        mkdir -p /etc/ssl/glusterfs
fi
-Line 12:
+Line 14:
-openssl genrsa -out glusterfs.key 2048
+# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
-Line 14:
+Line 33:
-=== Certificates ===
Now sign a certificate using that key.
{{{
root@gluster01:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
root@gluster02:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster02" -out glusterfs.pem
root@gluster03:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster03" -out glusterfs.pem
root@gluster04:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster04" -out glusterfs.pem
}}}

== Clients ==