The only way to mount an encrypted volume on boot is if the password is stored somewhere on the server itself, such as in /etc/crypttab. Maybe you could come up with a system that uses ssh to login and "manually" mount the volume with a password after the system is booted.
One thing to be aware of is that disk encryption at this level provides no additional security within the system -- anyone logged in can see and access all the files (subject to standard file permissions). It does help with data on the underlying disk, which is only really of use when the machine is completely turned off, protecting it from an administrator on the VM host (though they would have full access to your system anyway), or from a SAN admin. ❧ Brian Mathis @orev On Wed, Aug 20, 2014 at 1:07 PM, Eugene Sapozhnikov <[email protected]> wrote: > I have been given a project to secure our client hosts. > > One of the requirements was to setup an encrypted volume and mount it over > /var/puppet/lib . > > the other requirement was to have the encryption key reside only on the > puppet master. > > I have been able to use cryptsetup to have puppet configure and mount the > encrypted volume successfully. > > But I am running into a roadblock when the client server reboots and the > volume is unmounted. I can't use puppet to mount the volume as the puppet > agent will not connect successfully without the /var/lib/puppet being > mounted so it can use original SSl cert. > > > Wanted to see if anyone here have tried any similar setups to what i am > trying to achieve. > > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/a532006d-e3cd-4c1b-bd6f-91a388e68fb0%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/a532006d-e3cd-4c1b-bd6f-91a388e68fb0%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CALKwpEz7kjusMxbqGPDv%2B10u-AwHd2O_xvfMVVvgyweYJjQPrw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
