Encrypted filesystem support?

A big feature I’d like to see in MAAS is the ability to deploy encrypted filesystems, both using LUKS encrypted partitions with traditional filesystems, and with ZFS native encryption. right now I don’t have great options for full lifecycle management because all of our deploys need full encryption, and I can’t see a good way to provide that with MAAS right now.

I imagine to make this really work, MAAS would have to have some idea of an internal secrets store, so you could store the encryption key / password details. a future very useful expansion would be an API to hook common secrets stores, like typical cloud providers, or Hashicorp Vault.

is there anything like this on a roadmap, or some hacks people are currently using to provide this?

thanks!

3 Likes

There is a tutorial on how to deploy LUKS2 encrypted disks or partitions using MAAS. It involves some fiddling with the curtin preseeds, but it is still relatively easy to implement. This solution doesn’t provide any secrets management right now. Although, I imagine this could be implemented with some more advanced templating and creative use of the MAAS API.

Other than that, if you don’t need an encrypted root, a lot is possible with custom cloud-init user data. That includes getting secrets from an API. I personally use an ansible playbook to setup encryption at boot and have a single ansible-pull command in my cloud-init userdata.

1 Like

Yeah, in this case it’s for shared-customer DCs, so full disk encryption is pretty mandatory, including root. I’d prefer to just use zfs native, but the zfs support so far looks a little half baked. that curtin editing does look like the right track for me though, thanks for the link! I’ll see what I can concoct with that. :slightly_smiling_face:

is there a way to create our own custom storage layout profiles, so I could make a template to just apply to all servers of a certain type? that might be the right route for what I’m after. then I could just set up the entire ZFS array the way I want it to end up without using a bunch of other steps or scripting, potentially.

I don’t know of any way to customise the builtin storage layouts. If you want to create profiles that you can easily apply from within MAAS the tagging system might provide a solution. Since the tempita language, that is used for templating the preseeds, allows you to run python code in the templating context and the node object is available in the context, I think it should be possible to determine the machine or disk tags and apply your custom encryption configuration. That way, you only need to write one preseed with your encryption logic and then you can apply the custom “layout” by tagging the machines or disks via the UI, CLI or API accordingly.

Edit: The source for the node object can be found in the maas repo at src/maasserver/models/node.py. If you only ever need encrypted ZFS there should also be a way to skip the tagging part. Since the node object should also contain all the information about your selected storage layouts, you could also add the encryption logic whenever zfsroot is selected. I have never tried any of this though.

1 Like