Decrypting the user data on the cluster in an easier way #2162
-
Hi, first of all i wanted to say that I love karios and wanted to thank you for the development! I want to create a small 3 node cluster that has all its data encrypted at rest. I have seen your guide on doing this and the use of the kcrypt-challenger that should by design run on another cluster as I understand it? This would be a bit much for my use case as I would like to create a setup like follows:
Could something like this be achieved with kairos? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 10 replies
-
Hi @firstdorsal , thanks for trying out Kairos. Having said that, where should the prompt appear? One prompt per machine? This means someone would have to enter the passphrase for decryption on each machine whenever they are rebooted. The encryption feature on Kairos was designed to work automatically without user intervention, so this scenario is not supported. I'm thinking that you may be able to achieve what you want by encrypting the partitions manually after installation (or using some stage in the kairos config). Then you would get the regular prompt when the machine boots. It's just a rough idea, I don't have the exact steps. Needs some experimentation. @kairos-io/maintainers any other ideas? |
Beta Was this translation helpful? Give feedback.
Thanks for clarifying this @firstdorsal . Since you are going to implement some part of it, one option would be to write your own version of the challenger: https://github.com/kairos-io/kcrypt-challenger/blob/main/pkg/challenger/challenger.go#L215
Basically you need to implement the 2 endpoints
/postPass
andgetPass
which are requested by the client. You may be able to get away with just implementing/getPass
endpoint which is the first one the client tries to reach: https://github.com/kairos-io/kcrypt-challenger/blob/c42e66a9de78193479e4c15ab5178cb0a60d357f/cmd/discovery/client/client.go#L97By doing this, you have full control over what the KMS does, how it stores the passphrase, whethe…