Storage encryption workflow¶
When the storage encrpyptions is required by the user the following workflow is triggered:
All required software are installed, e.g. cryptsetup.
A strong alphanumerical passphrase is generated (100 characters long).
The storage is encrypted. Laniakea adopts, by default,
256bit keys ans
# Defaults values cipher_algorithm='aes-xts-plain64' keysize='256' hash_algorithm='sha256' device='/dev/vdb' cryptdev='crypt' mountpoint='/export' filesystem='ext4'
The passphrase is uploaded on Vault, allowing user to retrieve it through the Laniakea dashboard.
Once the LUKS partition is created, it is unlocked.
The unlocking process will map the partition to a new device name using the device mapper. This alerts the kernel that device is actually an encrypted device and should be addressed through LUKS using the
/dev/mapper/<cryptdev_name>so as not to overwrite the encrypted data.
cryptdev_nameis random generated to avoid accidental overwriting.
The volume is mounted, by default, on
/export, with standard
ext4filesystem and Galaxy is configured to store here datasets.