File System Encryption Test =========================== Test executed to ensure LUKS volume encryption. #. Create two volumes, here named vol1, vol2. #. Attach each one to the instance (here listed as ``/dev/vdd`` and ``/dev/vde``) and mount them respectively to ``/export`` and ``/export1``. :: $ df -h Filesystem Size Used Avail Use% Mounted on ... /dev/vdd 976M 2.6M 907M 1% /export /dev/vde 976M 2.6M 907M 1% /export1 #. Encrypt ``/export``, i.e. ``/dev/vdd`` using fast_luks (``/export`` is the default value). :: $ df -h Filesystem Size Used Avail Use% Mounted on ... /dev/vde 976M 2.6M 907M 1% /export1 /dev/mapper/jtedehex 990M 2.6M 921M 1% /export Ensure that ``/export`` has the same permissions of the other two volumes. :: drwxr-xr-x. 3 centos centos 4096 Nov 9 10:27 export drwxr-xr-x. 3 centos centos 4096 Nov 9 10:27 export1 #. Put the same file on both volumes: :: $ echo "encryption test" > /export/test.txt $ echo "encryption test" > /export1/test.txt #. Umount all the volumes and luksClose the encrypted one: :: $ sudo cryptsetup luksClose /dev/mapper/jtedehex #. Create the volume binary image using ``dd``: :: sudo dd if=/dev/vdd of=/home/centos/vdd_out 2097152+0 records in 2097152+0 records out 1073741824 bytes (1.1 GB) copied, 21.809 s, 49.2 MB/s $ sudo dd if=/dev/vde of=/home/centos/vde_out 2097152+0 records in 2097152+0 records out 1073741824 bytes (1.1 GB) copied, 21.3385 s, 50.3 MB/s #. HexDump the binary image with ``xdd``: :: $ xxd vdd_out > vdd.txt $ xxd vde_out > vde.txt As output you should have: :: $ ls -ltrh -rw-r--r--. 1 root root 1.0G Nov 9 11:19 vdd_out -rw-r--r--. 1 root root 1.0G Nov 9 11:22 vde_out -rw-rw-r--. 1 centos centos 4.2G Nov 9 11:32 vdd.txt -rw-rw-r--. 1 centos centos 4.2G Nov 9 11:36 vde.txt #. Grep non-zero bytes and search for the test.txt file content ``encryption test``: :: $ grep -v "0000 0000 0000 0000 0000 0000 0000 0000" vde.txt > grep_vde.txt $ grep "encryption test" grep_vde.txt 8081000: 656e 6372 7970 7469 6f6e 2074 6573 740a encryption test. $ grep -v "0000 0000 0000 0000 0000 0000 0000 0000" vdd.txt > grep_vdd.txt $ grep "encryption test" grep_vdd.txt $ .. Note:: It is possible to see the test.txt file content only on the un-encrypted volume. Moreover, the output file grep_vde.txt is 73 kb while the encrypted one, grep_vdd.txt (138 MB), is very large: :: -rw-rw-r--. 1 centos centos 73K Nov 9 11:46 grep_vde.txt -rw-rw-r--. 1 centos centos 138M Nov 9 11:58 grep_vdd.txt We also tried to open the volume when active (LUKS volume opened and mounted, Galaxy running) in the Virtual Machine, using the cloud controller (as administrator). Test executed on the cloud controller: :: # rbd map volume-3bedc7bc-eaed-466f-9d55-f2c29b44a7b2 --pool volumes /dev/rbd0 # lsblk -f NAME FSTYPE LABEL UUID MOUNTPOINT sda |-sda1 ext4 db06fc46-7231-4189-ba2b-0b0117049680 /boot |-sda2 |-sda5 swap e5b98538-8337-4e25-8f82-f97f04258716 [SWAP] `-sda6 LVM2_member n4SAgY-GRNy-4Fl2-ROoQ-rRIf-bdBP-QC1B6s `-vg00-root ext4 1e3f1ff1-8677-4236-8cb4-07d5cad32441 / rbd0 crypto_LUKS c4bee3b9-e0dc-438e-87ae-2a3e491081c0 # mount /dev/rbd0 /mnt/ mount: unknown filesystem type ‘crypto_LUKS’ It is not possible to mount the volume without the user password.