Encrypted SR

Create your LUKS container on an unused RAID.

I setup without a declared VM storage to facilitate this. XCP-NG 8.0 includes cryptsetup otherwise you would need to uncomment the CentOS repos in the repo files to install it. I also use a USB with a keyfile to unlock the storage at boot.

I use /dev/sdb for this setup.

[voyager ~]# parted /dev/sdb
GNU Parted 3.1
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel
New disk label type? gpt
(parted) mkpart
Partition name?  []? crypt0
File system type?  [ext2]? ext4
Start? 0%
End? 100%
(parted) quit

Create your password next, remember this but you will not use it unless it is an emergency once we are done.

[voyager ~]# cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

Take your USB and mount it up, I have one already made in fat32 but anything works. We need to get the UUID

[voyager ~]# blkid
/dev/sdc1: SEC_TYPE="msdos" LABEL="KEYBLADE" UUID="FC7E-155E" TYPE="vfat"

Edit /etc/fstab and add this as a mount.

[voyager ~]# vim /etc/fstab
LABEL=root-tdgrhw	/         	ext3	defaults	1  1
LABEL=BOOT-TDGRHW	/boot/efi	vfat	defaults	0  2
LABEL=swap-tdgrhw	swap      	swap	defaults	0  0
LABEL=logs-tdgrhw	/var/log	ext3	defaults	0  2
UUID=FC7E-166E 		/mnt/key 	vfat	defaults	0 0

Mount the luks container so we can make it into an SR

[voyager ~]# cryptsetup luksOpen /dev/sdb1 crypt0
Enter passphrase for /dev/sdb1:
[21:38 voyager ~]# lsblk
NAME       MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdb          8:16   0 930.5G  0 disk
└─sdb1       8:17   0 930.5G  0 part
  └─crypt0 253:0    0 930.5G  0 crypt
sr0         11:0    1  1024M  0 rom
sdc          8:32   1   1.9G  0 disk
└─sdc1       8:33   1   1.9G  0 part
sda          8:0    0  67.8G  0 disk
├─sda2       8:2    0    18G  0 part
├─sda5       8:5    0     4G  0 part  /var/log
├─sda3       8:3    0   512M  0 part  /boot/efi
├─sda1       8:1    0    18G  0 part  /
└─sda6       8:6    0     1G  0 part  [SWAP]

Mount the USB

[voyager ~]# mount /mnt/key/
[voyager ~]# lsblk
NAME       MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdb          8:16   0 930.5G  0 disk
└─sdb1       8:17   0 930.5G  0 part
  └─crypt0 253:0    0 930.5G  0 crypt
sr0         11:0    1  1024M  0 rom
sdc          8:32   1   1.9G  0 disk
└─sdc1       8:33   1   1.9G  0 part  /mnt/key
sda          8:0    0  67.8G  0 disk
├─sda2       8:2    0    18G  0 part
├─sda5       8:5    0     4G  0 part  /var/log
├─sda3       8:3    0   512M  0 part  /boot/efi
├─sda1       8:1    0    18G  0 part  /
└─sda6       8:6    0     1G  0 part  [SWAP]

Create your keyfile and add it to the luks container. Then dont forget to put it on the USB.

dd if=/dev/urandom of=keyfile bs=2048 count=4
cryptsetup luksAddKey /dev/sdb1 keyfile
mv keyfile /mnt/key/keyfile

Now edit /etc/crypttab so that we can have all these parts work together

[voyager ~]# vim /etc/crypttab
crypt0 /dev/sdb1 /mnt/key/keyfile luks

Create the SR. I want to do ext4 so VMs are thin-provisioned. If you did not already know when you open a luks container it is mapped to /dev/mapper/<name>

xe sr-create type=ext name-label=crypt0 device-config:device=/dev/mapper/crypt0

Once done it should be mounted in xcp-ng center. You can right click and set it as the default. xcp-ng-encrypted-sr.PNG

Now reboot and hope you dont have to type that password... Best of luck.