Mar 8, 2024 | Cloud, Tutorials

LUKS Encrypted Storage on OpenStack

by

Thoroughly securing your IT landscape has become more and more important over the last couple of years. With an increase in (user) data to be managed, processed, and stored, encryption of this data should be on your agenda towards fully secured IT infrastructure.
Therefore, we will look at how to leverage LUKS encrypted storage on OpenStack to encrypt volumes at rest in this tutorial. We will look at two ways of defining and using encrypted volumes in OpenStack: via web interface and via OpenStack CLI. Let’s start with the web interface.

Prerequisites

As a user of OpenStack, all necessary prerequisites for using LUKS encrypted storage have normally been configured for you by your administrators. If you administrate OpenStack yourself and are looking for configuration instructions, take a look at the official documentation.

To follow along with this tutorial on NWS OpenStack, you will need an NWS ID. You will also need to create an OpenStack project in which you can create volumes and compute instances. If you want to follow along in your terminal, you will additionally need to download the OpenStackRC file for your project. If you need a recap on how to go about this, see our tutorial on starting a project and creating a server (you will need one later) on NWS.

Configuring LUKS Encrypted Storage on the Dashboard

First, let’s see how you can provision LUKS encrypted volumes in Horizon, OpenStack’s web interface. If you’re an NWS customer, you can access Horizon either at https://cloud.netways.de and login with your NWS ID, or by clicking the “Go to App” button in the top right of your OpenStack project’s overview page at MyNWS.

Screenshot of the MyNWS VPC project overview

Navigate to OpenStack Horizon from the MyNWS dashboard

Creating a New LUKS Encrypted Volume

Once you made it to the Horizon dashboard, navigate to Volumes > Volumes and click on Create Volume in the top right. A form will open for you to specify the desired settings. You can configure the following settings here:

  • Volume Name – make sure to choose a meaningful name for your volume here, e.g. encryption-tutorial-volume
  • Description – add information regarding this volume here if needed
  • Volume Source – you can choose between creating an empty volume here or import an existing image
  • Type – this is the most important setting, as this will define whether your volume will be encrypted or not – more infos below
  • Size – the desired size of your volume
  • Availability Zone – where you want OpenStack to store your volume; in NWS OpenStack, there’s only one availability zone (nova)
  • Group – add your volume to a preexisting volume group if needed
screenshot of the New Volume dialogue on OpenStack Horizon

Exemplary configuration of a LUKS encrypted volume in NWS OpenStack

In the screenshot above, I configured a volume to use the LUKS type, which is the volume type for LUKS encrypted storage on NWS OpenStack. I also made sure to create a new, empty volume and set the size to 4GB.
If you are following along on an OpenStack environment that isn’t NWS OpenStack, the volume type might be named differently.

On NWS OpenStack, volumes of the LUKS type are encrypted using 256bit aes-xts-plain64 encryption.

Once you’re satisfied with your volume configuration, click on Create Volume. After a few moments, OpenStack will have provisioned the new, encrypted volume for you. Next, you need to attach it to a compute instance.

Using LUKS Encrypted Volumes

A volume alone won’t get you far, no matter if encrypted or not – you need a client consuming it. For this tutorial, this will be a simple compute instance. Deploy a new server via the NWS OpenStack dashboard or by navigating to Compute > Instances in OpenStack Horizon and clicking on Launch Instance in the top right.
Once the server is up and running, attach the encrypted volume via the OpenStack Horizon dashboard: Expand the dropdown in the Action column of your server’s listing, and choose Attach Volume from the available actions.

Screenshot of the server listing in OpenStack, with the Action menu expanded

Another popup dialogue will open, prompting you to choose the volume to attach from a dropdown of available volumes. Pick the LUKS encrypted volume you created before and confirm by clicking on Attach Volume:

Screenshot of the Attach Volume dialogue in OpenStack Horizon

That’s it – you attached encrypted storage to your server. If you log into the server (e.g. via SSH), you see a new storage device (probably /dev/sdb). You can use it like any other volume, OpenStack already decrypted the block storage for you.
This is a good moment to emphasize again that your LUKS encrypted volumes are only encrypted at rest, not in transit – keep that in mind when reasoning about your security posture!

Configuring LUKS encrypted storage in the Terminal

If you prefer a terminal and Openstack’s CLI over its dashboard, there is of course another way to provision LUKS encrypted storage on OpenStack. Make sure you have your OpenStackRC.sh at hand, source it, and pick the project to work in, if prompted:

source ~/Downloads/nws-id-openstack-rc.sh

Testing authentication and fetching project list ...

Please select one of your OpenStack projects.

1) aaaaa-openstack-bbbbb
2) ccccc-openstack-ddddd
3) eeeee-openstack-fffff
4) ggggg-openstack-hhhhh
5) iiiii-openstack-jjjjj
6) kkkkk-openstack-lllll
7) mmmmm-openstack-nnnnn
8) ooooo-openstack-ppppp
Enter a number: 1
Selected project: aaaaa-openstack-bbbbb

With the correct project picked, you can proceed to create your encrypted volume.

Creating a New LUKS Encrypted Volume

First, you need to identify the storage type providing LUKS encrypted storage in your OpenStack environment. You can list all storage types available to your OpenStack project with this command:

openstack volume type list
+--------------------------------------+--------------------------+-----------+
| ID                                   | Name                     | Is Public |
+--------------------------------------+--------------------------+-----------+
| 2f487bd6-628d-46ba-83c5-21c6dbb4c67d | Ceph-Encrypted           | True      |
| e0704085-2e47-4e3d-b637-ae04e78f5000 | Ceph-Encrypted-High-IOPS | True      |
| 21b793e6-8adf-4c92-9bf9-14f5a7b6161a | LUKS                     | True      |
| 664b6e93-0677-4e11-8cf1-4938237b6ce2 | __DEFAULT__              | True      |
| 0a65e62f-3aad-4c6d-b175-96dedaa7ba1f | Ceph-High-IOPS           | True      |
| c4a685b0-64c4-4565-9b4c-9800056d659d | Ceph                     | True      |
+--------------------------------------+--------------------------+-----------+

On NWS OpenStack, the storage type providing LUKS encryption is conveniently called LUKS. Next, you will have to create a new volume, referencing the identified volume type:

openstack volume create --type LUKS --size 4 encryption-tutorial-volume
+---------------------+------------------------------------------------------------------+
| Field               | Value                                                            |
+---------------------+------------------------------------------------------------------+
| attachments         | []                                                               |
| availability_zone   | nova                                                             |
| bootable            | false                                                            |
| consistencygroup_id | None                                                             |
| created_at          | 2024-03-04T12:41:29.000000                                       |
| description         | None                                                             |
| encrypted           | True                                                             |
| id                  | 9b20a1d8-bfb6-4e4f-bb4b-dbda62e4afc7                             |
| multiattach         | False                                                            |
| name                | encryption-tutorial-volume                                       |
| properties          |                                                                  |
| replication_status  | None                                                             |
| size                | 4                                                                |
| snapshot_id         | None                                                             |
| source_volid        | None                                                             |
| status              | creating                                                         |
| type                | LUKS                                                             |
| updated_at          | None                                                             |
| user_id             | acfef1ea27ec3ac25fa5009238cdeb2cc5ae2c943da7ecb279c43a5a91b8a4bf |
+---------------------+------------------------------------------------------------------+

In the example above, I created a volume encryption-tutorial-volume with a size of 4GB. Next up, you will want to attach the volume to a VM.

On NWS OpenStack, volumes of the LUKS type will are encrypted using 256bit aes-xts-plain64 encryption.

Using LUKS Encrypted Volumes

In order to consume the volume, you will need a server to attach it to. Create a new server using the following command, or deploy one via the NWS or OpenStack dashboards:

openstack server create --flavor s1.small --image "Debian 10" --network public-network test-server

This command will work in any NWS OpenStack project – if you’re following along on a different OpenStack environment, you might have to adapt the referenced flavors, images, and networks.
Once the server has come up, you can go ahead and attach the LUKS encrypted volume you created before:

openstack server add volume --device /dev/sdb test-server encryption-tutorial-volume
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| ID                    | 9b20a1d8-bfb6-4e4f-bb4b-dbda62e4afc7 |
| Server ID             | 7952e17d-0781-41c3-a1e9-b758574ac336 |
| Volume ID             | 9b20a1d8-bfb6-4e4f-bb4b-dbda62e4afc7 |
| Device                | /dev/sdb                             |
| Tag                   | None                                 |
| Delete On Termination | False                                |
+-----------------------+--------------------------------------+

If you log into your server now (e.g. via SSH), you should see a new storage device /dev/sdb. You can go ahead and format, mount, and consume it like any other OpenStack volume. OpenStack will have decrypted the block storage for you in the background already.

Summing it up

OpenStack provides you with everything you need to encrypt your storage at rest. You can use either OpenStack’s Horizon dashboard or its CLI to create, encrypt, and attach block storage volumes, without having to change any configuration on your VMs.
The feature comes at very little additional cost (OpenStack stores the encryption keys as Secrets in Barbican, OpenStack’s key manager, which incurs a small, fixed cost per secret in NWS OpenStack), and is a ‘quick win’ in terms of security posture.

Subcribe for next article

More articles in Cloud | Tutorials
Securing ingress-nginx with cert-manager

Securing ingress-nginx with cert-manager

In one of our first tutorials, we showed you how to get started with ingress-nginx on your Kubernetes cluster. As a next step, we will tell you how to go about securing ingress-nginx with cert-manager by creating TLS certificates for your services! What is...

Migrating Servers from VMware to Openstack

Migrating Servers from VMware to Openstack

In this tutorial, we will have a look at migrating servers from VMware to OpenStack. After VMware's recent acquisition by Broadcom, many Cloud Service Providers (CSPs) face termination of their partnership programs with VMware. With no further information publicly...

Upgrading Ubuntu: From 20.04 to 22.04 with Nextcloud 26 and PHP 8.1

Upgrading Ubuntu: From 20.04 to 22.04 with Nextcloud 26 and PHP 8.1

Every couple of years Ubuntu brings out a new LTS version of its operating system and with it comes a bundle of new applications and dependencies. This can be both exciting and challenging for sys-admins who need to make everything work after an upgrade. One of the...

Mastering Kubernetes with Cilium: Empowering L7 Traffic Control

Mastering Kubernetes with Cilium: Empowering L7 Traffic Control

With the new release of the Cilium CNI on our Kubernetes Service you'll get the ability to filter traffic based on L7 properties. It's very powerful and can help a lot with your services security. In this tutorial, we'll be securing an API endpoint to allow access...

Using Terraform with OpenStack

Using Terraform with OpenStack

Many of you may already be familiar using Terraform with Azure or AWS. Although these may be the most used platforms, there is still a need for variety of other options due to local regulations (GDPR). As our systems are geared towards Open-Source, we will be looking...

Dynamic Inventory – An Ansible and Openstack Lovestory

Dynamic Inventory – An Ansible and Openstack Lovestory

For those of you that may not be too familiar with Ansible, it is a great tool to get started in the world of automation and making your life with configuration management a whole lot easier. In this tutorial we will be going through a basic playbook that you can use...

ReadWriteMany (RWX) with the NFS Ganesha Provisioner

ReadWriteMany (RWX) with the NFS Ganesha Provisioner

Introduction You have the desire that your application needs to scale across multiple nodes for load balancing, but needs access to a common PVC? For this purpose, you need a PVC that is RWX-enabled. As part of our Managed Kubernetes Cluster, it is possible to create...

Resizing Persistent Volumes in Kubernetes

Resizing Persistent Volumes in Kubernetes

You want to resize a PersistentVolume (PV) in Kubernetes? In this tutorial, you'll learn how to do it. If you don't already know what a PV is and how you can create one, you should check out the tutorial Creating Persistent Volumes in Kubernetes first.   Let's...

How to start your NETWAYS Managed Database

How to start your NETWAYS Managed Database

In the first Database tutorial, Sebastian already explained what Vitess is all about and what possibilities it offers you, when running your application compared to an ordinary database. In this tutorial, I would like to explain how easy it is for you to start your...

What is Vitess?

What is Vitess?

Back in 2010 a solution was created to solve the massive MySQL scalability challenges at YouTube - and then Vitess was born. Later in 2018, the project became part of the Cloud Native Computing Foundation and since 2019 it has been listed as one of the graduated...