Differences between revisions 8 and 10 (spanning 2 versions)
Revision 8 as of 2017-12-24 17:18:36
Size: 2056
Editor: Kristian Kallenberg
Comment:
Revision 10 as of 2017-12-24 17:22:23
Size: 2314
Editor: Kristian Kallenberg
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:

{{{#!highlight bash
#!/bin/sh
if [ ! -e /etc/ssl/glusterfs ]
then
        mkdir -p /etc/ssl/glusterfs
fi

cd /etc/ssl/glusterfs

# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048

# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem

# create the client keys
openssl genrsa -out glusterclient01.key 2048

# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem

# server certificates authorities
cat gluster01.key gluster02.key gluster03.key gluster04.key glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.key gluster02.key gluster03.key gluster04.key > glusterfs-client.ca
}}}
Line 38: Line 4:
Keep your keys safe. I personally generate my keys on a special server which is only powered up when i need to make a new key or sign a certificate. Otherwise that system is always powered down. This way i can be sure that my keys are safe.
Line 63: Line 30:

{{{#!highlight bash
#!/bin/sh
if [ ! -e /etc/ssl/glusterfs ]
then
        mkdir -p /etc/ssl/glusterfs
fi

cd /etc/ssl/glusterfs

# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem

# create the client keys
openssl genrsa -out glusterclient01.key 2048

# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem

# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
}}}

GlusterFS Encryption

Keys

Keep your keys safe. I personally generate my keys on a special server which is only powered up when i need to make a new key or sign a certificate. Otherwise that system is always powered down. This way i can be sure that my keys are safe.

On each of the Glusterfs servers and clients run. 

mkdir /etc/ssl/glusterfs
cd /etc/ssl/glusterfs
openssl genrsa -out glusterfs.key 2048

Certificates

Now sign certificates using those keys. Replace the CN so it matches the host you are siging the certificate for. 

openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem

Compile

Compile all the certificates into one large file 

scp gluster01:/etc/ssl/glusterfs/gluster.pem gluster01.pem
scp gluster02:/etc/ssl/glusterfs/gluster.pem gluster02.pem
scp gluster03:/etc/ssl/glusterfs/gluster.pem gluster03.pem
scp gluster04:/etc/ssl/glusterfs/gluster.pem gluster04.pem
scp glusterclient01:/etc/ssl/glusterfs/gluster.pem glusterclient01.pem
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs.ca

   1 #!/bin/sh
   2 if [ ! -e /etc/ssl/glusterfs ]
   3 then
   4         mkdir -p /etc/ssl/glusterfs
   5 fi
   6 
   7 cd /etc/ssl/glusterfs
   8 
   9 # create the server keys
  10 openssl genrsa -out gluster01.key 2048
  11 openssl genrsa -out gluster02.key 2048
  12 openssl genrsa -out gluster03.key 2048
  13 openssl genrsa -out gluster04.key 2048
  14 # sign the server certificates
  15 openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
  16 openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
  17 openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
  18 openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
  19 
  20 # create the client keys
  21 openssl genrsa -out glusterclient01.key 2048
  22 
  23 # sign the client certificates
  24 openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
  25 
  26 # server certificates authorities
  27 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca
  28 # client certificates authorities
  29 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)