Storage encryption workflowΒΆ
When the storage encrpyptions is required by the user the following workflow is triggered:
All required software are installed, e.g. cryptsetup.
A strong alphanumerical passphrase is generated (100 characters long).
The storage is encrypted. Laniakea adopts, by default,
xts-aes-plain64
cipher with256
bit keys anssha256
hashing algorithm.# Defaults values cipher_algorithm='aes-xts-plain64' keysize='256' hash_algorithm='sha256' device='/dev/vdb' cryptdev='crypt' mountpoint='/export' filesystem='ext4'
The passphrase is uploaded on Vault, allowing user to retrieve it through the Laniakea dashboard.
Once the LUKS partition is created, it is unlocked.
The unlocking process will map the partition to a new device name using the device mapper. This alerts the kernel that device is actually an encrypted device and should be addressed through LUKS using the
/dev/mapper/<cryptdev_name>
so as not to overwrite the encrypted data.cryptdev_name
is random generated to avoid accidental overwriting.The volume is mounted, by default, on
/export
, with standardext4
filesystem and Galaxy is configured to store here datasets.