I had mentioned in How to Use LVM and LUKS with EBS Volumes that I used LVM and LUKS for the ephemeral volumes at Lucid Software. I have made the associated scripts public on Github, with an Apache 2.0 license. I'll take just a minute and describe what the script is and how we use it at Lucid.
You can find the scripts on Github. I have put a bit of time into making the README helpful, so I recommend you read that for instructions on using the scripts.
To make a Lucidchart AMI (any of them), we start with a common AMI that has the encrypted, LVM ephemeral drives and our Chef configuration. The steps in Github are used to create this common AMI (minus Chef).
As for the mnt LUKS partition's key file, we use Chef to store and retrieve the key file. When Chef runs, if /mnt isn't mounted, the key file is downloaded, the LUKS partition is created/unlocked, /mnt is mounted, and the key file is destroyed. Every time the instance boots, the /mnt partition will be unavailable until Chef runs the first time.
Doing the /mnt mountpoint like this allows us to have persistent data (across reboots) on AWS ephemeral volumes automatically. We have been using this script (the boot_luks.sh) for over a year with no modifications. I wish you the same luck!
Michael, Question about VPC- Is there any tool or Managed service that you have come across that could provide the following high availability services on AWS a) allow for multiple VPC to be networked , managed and monitored via a remote dashboard ; If tunnel between two or more VPC goes down, tool auto detects and activates a standby tunnel to ensure uptime and alerts admin b) enable Highly Available NAT- provide a HA NAT capability by setting up a standy NAT instances if needed . Admin should be able to monitor from remote dashboard.
ReplyDeleteI don't know of anything that does all of those things.
DeleteThanks for your advice on LUKS.
ReplyDeleteBy the way, do you have any examples of how you use Chef to download/manage the LUKS keys? Is there a pre-built cookbook for this somewhere?
Cheers