Differences between revisions 2 and 23 (spanning 21 versions)
Revision 2 as of 2017-12-24 16:50:20
Size: 843
Editor: Kristian Kallenberg
Comment:
Revision 23 as of 2017-12-24 17:35:40
Size: 1931
Editor: Kristian Kallenberg
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
Line 3: Line 4:
== Servers ==

Once all this works we will continue by adding TLS encryption to the setup.

=== Keys ===
On each of the Glusterfs servers run.		 == Keys and Certificates ==
Make an encryption key and make sure to set the `CN` to match the name of the host. Repeat this on the client and on each of the servers.
Line 12: Line 9:
openssl genrsa -out glusterfs.key 2048 openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
Line 15: Line 14:
=== Certificates ===
Now sign a certificate using that key.		 == Certificate Authorities ==
compile all the certificates in one place and concatename them into two files. glusterfs.ca and glusterfs-client.ca.
Line 18: Line 17:
root@gluster01:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
root@gluster02:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster02" -out glusterfs.pem
root@gluster03:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster03" -out glusterfs.pem
root@gluster04:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster04" -out glusterfs.pem		 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
Line 24: Line 21:
== Clients ==
{{{
# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
}}}

GlusterFS Encryption

The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.

Keys and Certificates

Make an encryption key and make sure to set the CN to match the name of the host. Repeat this on the client and on each of the servers. 

mkdir /etc/ssl/glusterfs
cd /etc/ssl/glusterfs
openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem

Certificate Authorities

compile all the certificates in one place and concatename them into two files. glusterfs.ca and glusterfs-client.ca. 

cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)