GlusterFS Encryption
Keys
Keep your keys safe. I personally generate my keys on a special server which is only powered up when I need to make a new key or sign a certificate. Otherwise that system is always powered down. This way I can be sure that my keys are safe.
generate_gluster_certificates.sh
1 #!/bin/sh
2 if [ ! -e /etc/ssl/glusterfs ]
3 then
4 mkdir -p /etc/ssl/glusterfs
5 fi
6 cd /etc/ssl/glusterfs
7 # create the server keys
8 openssl genrsa -out gluster01.key 2048
9 openssl genrsa -out gluster02.key 2048
10 openssl genrsa -out gluster03.key 2048
11 openssl genrsa -out gluster04.key 2048
12 # sign the server certificates
13 openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
14 openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
15 openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
16 openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
17 # create the client keys
18 openssl genrsa -out glusterclient01.key 2048
19 # sign the client certificates
20 openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
21 # server certificates authorities
22 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
23 # client certificates authorities
24 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca