cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rajpal reddy <>
Subject Re: Secure data
Date Tue, 07 Aug 2018 17:43:21 GMT
Hi Jon,

Was trying the LUKS  encryption following the Doc.
on ec2 i3.large machine.
i don’t see the disk mounted.  and see the mapper being at 100%. do you see anything wrong
following below statements.
i see this error is /var/log/messages
 ERROR [instanceID=i-0de508d7fc188ab20] [MessagingDeliveryService] [Association] Unable to
load instance associations, unable to retrieve associations unable to retrieve associations
NoCredentialProviders: no valid providers in chain. Deprecated

df -h /dev/mapper/
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        7.5G  7.5G     0 100% /dev


## Initial setup to be executed on boot

# Create an empty file. This file will be used to host the file system.
# In this example we create a 2 GB file called secretfs (Secret File System).
dd of=secretfs bs=1G count=0 seek=2
# Lock down normal access to the file.
chmod 600 secretfs
# Associate a loopback device with the file.
losetup /dev/nvme0 secretfs
#Copy encrypted password file from S3. The password is used to configure LUKE later on.
aws s3 cp s3://mybucket/LuksInternalStorageKey .
# Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey
--output text --query Plaintext | base64 --decode)
# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/secretfs.
# Initialize the volume and set an initial key.
echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/nvme0
# Open the partition, and create a mapping to /dev/mapper/secretfs.
echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/nvme0 secretfs
# Clear the LuksClearTextKey variable because we don't need it anymore.
unset LuksClearTextKey
# Check its status (optional).
cryptsetup status secretfs
# Zero out the new encrypted device.
dd if=/dev/zero of=/dev/mapper/secretfs
# Create a file system and verify its status.
mke2fs -j -O dir_index /dev/mapper/secretfs
# List file system configuration (optional).
tune2fs -l /dev/mapper/secretfs
# Mount the new file system to /data_e/secretfs.
sudo mkdir /data_e/secretfs
sudo mount /dev/mapper/secretfs /data_e/secretfs

> On Aug 1, 2018, at 3:38 PM, Jonathan Haddad <> wrote:
> You can also get full disk encryption with LUKS, which I've used before.
> On Wed, Aug 1, 2018 at 12:36 PM Jeff Jirsa < <>>
> EBS encryption worked well on gp2 volumes (never tried it on any others)
> -- 
> Jeff Jirsa
> On Aug 1, 2018, at 7:57 AM, Rahul Reddy < <>>
>> Hello,
>> Any one tried aws ec2 volume encryption for Cassandra instances?
>> On Tue, Jul 31, 2018, 12:25 PM Rahul Reddy < <>>
>> Hello,
>> I'm trying to find a good document on to enable encryption for Apache Cassandra 
(not on dse) tables and commilogs and store the keystore in kms or vault. If any of you already
configured please direct me to documentation for it.
> -- 
> Jon Haddad
> <>
> twitter: rustyrazorblade

View raw message