{"id":18794084,"url":"https://github.com/yandex-cloud-examples/yc-encrypt-vm-disk-with-kms","last_synced_at":"2025-12-29T08:30:15.573Z","repository":{"id":252777310,"uuid":"769060853","full_name":"yandex-cloud-examples/yc-encrypt-vm-disk-with-kms","owner":"yandex-cloud-examples","description":"Шифрование диска виртуальной машины с помощью Key Management Service (KMS).","archived":false,"fork":false,"pushed_at":"2024-08-12T11:37:11.000Z","size":268,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-12-29T15:47:01.288Z","etag":null,"topics":["disk-encryption","encryption","kms","terraform","yandex-cloud","yandexcloud"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yandex-cloud-examples.png","metadata":{"files":{"readme":"README-en.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-08T09:06:14.000Z","updated_at":"2024-08-12T11:37:14.000Z","dependencies_parsed_at":"2024-08-12T13:04:49.121Z","dependency_job_id":"f0085364-6930-4303-949b-a73b810ae99b","html_url":"https://github.com/yandex-cloud-examples/yc-encrypt-vm-disk-with-kms","commit_stats":null,"previous_names":["yandex-cloud-examples/yc-encrypt-vm-disk-with-kms"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yandex-cloud-examples","download_url":"https://codeload.github.com/yandex-cloud-examples/yc-encrypt-vm-disk-with-kms/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239718426,"owners_count":19685725,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["disk-encryption","encryption","kms","terraform","yandex-cloud","yandexcloud"],"created_at":"2024-11-07T21:28:06.318Z","updated_at":"2025-12-29T08:30:15.506Z","avatar_url":"https://github.com/yandex-cloud-examples.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VM disk encryption in the cloud using YC KMS\n\n## Description\n- The solution allows you to encrypt the disk (except the boot disk) on a [Yandex Compute Cloud VM](https://cloud.yandex.ru/services/compute) using [Yandex Key Management Service](https://cloud.yandex.ru/services/kms) and [dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt)+[LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup).\n- Deployment of the solution and prerequisites is performed using an example Terraform script.\n\n## Operating diagram\n![Diagram](https://user-images.githubusercontent.com/85429798/131116794-8dd100e3-c024-4297-a39d-8d1482fc8ead.png)\n\n\n## Description of the solution operation\n- Pass data to the [cloud-init](https://cloud.yandex.ru/docs/compute/concepts/vm-metadata#keys-processed-in-public-images) script when deploying a VM instance.\n- Install the software: AWS CLI, cryptsetup-bin, curl.\n- The SSH key created by Terraform is transmitted.\n- A Bash script with the create argument is executed on the VM: a high entropy encryption key is created using the KMS [generateDataKey](https://cloud.yandex.ru/docs/kms/api-ref/SymmetricCrypto/generateDataKey) method and then written to a disk in both a free-text and encrypted format.\n- The second VM disk is encrypted and mounted based on the encryption key.\n- The encrypted key is copied to [Yandex Object Storage](https://cloud.yandex.ru/services/storage) and deleted from the file system.\n- A script with the \"open\" argument is added to the OS startup options to automatically mount the encrypted disk at reboot.\n- At the time of mounting, the encryption key is downloaded from S3, decrypted, and then deleted from the file system when mounting is complete.\n\n\u003e All operations with KMS and Object Storage are performed using a service account token linked to the VM at its creation.\n\nDescription of script arguments:\n- create: Creating a high entropy key using the KMS [generateDataKey] (https://cloud.yandex.ru/docs/kms/api-ref/SymmetricCrypto/generateDataKey) method.\n- open: Mounting an encrypted disk to a decrypted object.\n- close: Unmounting an encrypted device.\n- erase: Deleting the source device.\n\n\n## Prerequisites (configured using the Terraform script example):\n- Install and configure [YC CLI](https://cloud.yandex.ru/docs/cli/quickstart).\n- Create a service account.\n- Create a KMS key.\n- Assign rights for the KMS key to the created service account (kms.keys.encrypterDecrypter).\n- Create an Object Storage Bucket.\n- Assign rights to the Object Storage Bucket to the created service account (storage.uploader, storage.viewer + BucketPolicy).\n- Assign a service account to the VM.\n- Install AWS CLI: `apt install awscli`\n- Install cryptsetup: `apt install cryptsetup-bin`\n\n\n## Launching the solution\n- Download the files.\n- Fill out the variables.tf file.\n- Execute Terraform commands:\n\n```\nterraform init\nterraform apply\n```\n## Deployment results\n- Check the status of mounted objects:\n\n```\nlsblk\n```\n\n![Status](https://user-images.githubusercontent.com/85429798/131117114-d15f733e-8db8-4bdc-a3bf-082554a4e7cc.jpg)\n\n- Check the disk encryption status:\n\n```\ncryptsetup status encrypted1\n```\n![Status](https://user-images.githubusercontent.com/85429798/131117237-bb081d75-3876-4970-9a2c-b52ae4161c55.jpg)\n\n- Check the disk on another VM. To do this, create a snapshot of the disk:\n\n![Snapshot](https://user-images.githubusercontent.com/85429798/131117342-0ef73d39-890b-49c4-888c-7ca43789356f.jpg)\n\n- Create a VM with a disk based on a snapshot:\n![Creating a VM](https://user-images.githubusercontent.com/85429798/131117386-e1e9e805-2412-48bd-be9e-41e4ee83eed9.png)\n\n- Try mounting a disk:\n\n```\nsudo mount /dev/vdb /mnt\n```\n![Test result](https://user-images.githubusercontent.com/85429798/131117495-c2cc85d4-21c9-4578-9027-907bf6c9d0c2.jpg)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyandex-cloud-examples%2Fyc-encrypt-vm-disk-with-kms/lists"}