Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/randomvariable/kms-cryptsetup

Encrypt your on-premise server disks and save the keys in the cloud securely
https://github.com/randomvariable/kms-cryptsetup

aws clearlinux coreos cryptsetup dm-crypt dmcrypt dynamodb kms

Last synced: 3 months ago
JSON representation

Encrypt your on-premise server disks and save the keys in the cloud securely

Host: GitHub
URL: https://github.com/randomvariable/kms-cryptsetup
Owner: randomvariable
License: apache-2.0
Created: 2017-11-19T16:41:21.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2018-09-16T23:25:30.000Z (over 6 years ago)
Last Synced: 2024-06-20T01:54:49.415Z (8 months ago)
Topics: aws, clearlinux, coreos, cryptsetup, dm-crypt, dmcrypt, dynamodb, kms
Language: Go
Homepage:
Size: 7.18 MB
Stars: 75
Watchers: 4
Forks: 6
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

kms-cryptsetup
==============

Let's you encrypt on-premise disks and securely store the keys in DynamoDB
using KMS.

Design
------
`kms-cryptsetup` can be used on stateless systems like CoreOS or Intel Clear
Linux.

It uses SMBIOS IDs and disk serial numbers to uniquely identify computers
and disks and retrieve encryption keys from DynamoDB, which are in turn
encrypted using the AWS Key Management Service.

Each computer has an IAM user account with fine grained access control to
their key prefix in DynamoDB.

You also provide individual grants to each computer to decrypt records in
DynamoDB. These can be revoked and reinstated at any time, and provide an
alternative to using hardware devices like TPMs or Yubikeys which could
potentially be physically stolen together with the hard disk.

Setup
---

```
AWS_REGION= ./kms-cryptsetup # lists available commands
```

## Create the DynamoDB table

`kms-cryptsetup` uses a DynamoDB table called `kms-cryptsetup` to store keys.
Create this using:

```
AWS_REGION= ./kms-cryptsetup create-table
```

## Grant the computer access
Install/copy `kms-cryptsetup` to the target computer and run:

```
AWS_REGION= ./kms-cryptsetup computer-context
```

which should print something like:
```
supermicrozaaaaaaaa000000000000000000000aaaaaaaaaa
```

This is determined from the following DMI values:
* The motherboard vendor
* The motherboard serial number
* The motherboard product UUID

If these keys are not available, you can specify these manually in the next steps.

On your workstation, given some AWS credentials, run:

```
AWS_REGION= ./kms-cryptsetup grant-computer -c
```

If this is a new IAM user, the tool will print the AWS Access Key and Secret Access Key
to be installed to `/root/.aws/credentials` or used as environment variables on the target
system.

## Encrypt a disk

`kms-cryptsetup` can pass the relevant parameters to `cryptsetup` with the following defaults:

```
cryptsetup --allow-discards --cipher aes-xts-plain64 --key-file - --key-size 256 open --type plain /dev/ /dev/mapper/dmcrypt-
```

To do this, run:
```
AWS_REGION= ./kms-cryptsetup encrypt-disk -d
```

## Run a custom command
To use your own cryptsetup command line, use the following

```
AWS_REGION= ./kms-cryptsetup output-key -d | crypsetup
```

## Revoke a computer's access

This will revoke a computer's access. This can be restored at any time using
`grant-computer`. Access Keys do not need to be rotated for this to work.

```
AWS_REGION= ./kms-cryptsetup revoke-computer -c
```