Set Up Data Encryption

the {{ocient}} system enables you to set up data encryption on data drives that support the computing group (tcg) opal specification and store the encryption secrets in an external key management system (kms) utilizing the key management interoperability protocol (kmip) this series of workflows demonstrates generating and storing secrets using the {{thales}} ciphertrust manager kms prerequisites a kmip server, such as thales ciphertrust manager, must be available to store secrets the ocient node must be a registered client of the kmip server the client certificate and key file must be on the client, e g , /var/opt/ocient/kmip/client crt and /var/opt/ocient/kmip/client key the ca certificate must be present on the client, e g , /var/opt/ocient/ca pem the client must be able to communicate with the kmip server the https //sedutil com/ cli utility must be installed to manage the sed configuration of the drive the sedutil cli command must be available on the system path variable path ensure all nvme drives intended for use with ocient are bound to the kernel nvme driver have no partition table be in the opal factory state use reverttper or revertnoerase sedutil commands have these initial settings for the drives and sidpassword set to admin locked = n lockingenabled = n lockingsupported = y mbrdone = n mbrenabled = n mbrabsent = n mediaencrypt = y set up data encryption use a configuration file and script to generate the secret or key generate a configuration file with the path /var/opt/ocient/ockmip conf the configuration file uses the https //github com/openkmip/pykmip configuration file format such as this text \[client] host=thales01 example com port=5696 certfile=/var/opt/ocient/kmip/client crt keyfile=/var/opt/ocient/kmip/client key ca certs=/var/opt/ocient/kmip/ca pem run this command sudo /opt/ocient/utils/ockmip init the script performs these operations for each drive that is detected as unused by the os (no partition table present or with an ocient partition) generate a password or key for locking the drive store the secret password or key on the kmip server enable opal locking on the drive and set the admin1 password to the generated secret set the sidpassword to admin to enable reverting the drive to the factory state in case the admin1 password is lost to enable the script to run on start before the drives are bound to the uio or vfio driver by the system bind uio driver service installed by the ocient package, run this command sudo /opt/ocient/utils/ockmip install on reboot, the ockmip service unlocks the drives before they are bound to the uio or vfio driver and available for use by the rolehostd process the full setup sequence is as follows configure the ockmip conf configuration file with all of the appropriate settings stop the rolehostd process if it is running unbind drives from the uio or vfio driver back to the nvme driver if ocient has already been bootstrapped on the node, use the import drives command otherwise, use the init drives command # ocient has been bootstrapped ockmip import drives# ocient has not been bootstrapped ockmip init drives set the node role configuration to useopal false within the rolehostd conf file back up any existing keys in /var/opt/ocient/localkeystore in case you encounter any issues install the systemd service to unlock drives on the reboot ockmip install optionally, perform a power off and power on to ensure the installation was successful and that the ockmip service successfully unlocks drives on boot migration process output might be similar to this output \[root\@ppolllercs00006 ocient]# ockmip l debug import drives \[2024 09 12 12 45 32,853]\[info] using conf file /var/opt/ocient/ockmip conf \[2024 09 12 12 45 33,427]\[info] importing drive(s) \[2024 09 12 12 45 33,427]\[info] importing secret for /dev/nvme15 btax240306a015pfgn after reboot, the ockmip service output might be similar to this output \[root\@dpolllercs0002e log]# systemctl status ockmip ○ ockmip service oneshot service to unlock nvme drives via ockmip script using secrets stored in kmip service loaded loaded (/etc/systemd/system/ockmip service; enabled; preset disabled) active inactive (dead) since wed 2024 09 11 19 11 55 utc; 31min ago process 3217 execstart=/usr/local/bin/ockmip unlock (code=exited, status=0/success) main pid 3217 (code=exited, status=0/success) cpu 3 097s sep 11 19 11 52 dpolllercs0002e ockmip\[3217] \[2024 09 11 19 11 52,429]\[info] retrieving secret for /dev/nvme2 s64gnn0wc04870 the rolehostd process should start up without the process managing encryption because the ockmip service handles it troubleshooting for more details on the possible commands, see the help using this command sudo /opt/ocient/utils/ockmip help to diagnose issues, examine the log located at /var/opt/ocient/log/ockmip log to perform actions on a particular drive or set of drives, you can manually specify with the drives parameter sudo ockmip unlock drives /dev/nvme1n1 drives /dev/nvme2n1 ncerrinsufficentpermissions error when attempting to register the drives, you see this error \[2024 08 26 17 27 51,350]\[info] using conf file /var/opt/ocient/ockmip conf \[2024 08 26 17 27 51,917]\[info] initializing drive(s) \[2024 08 26 17 27 51,917]\[info] generating and storing secret for /dev/nvme15 \[2024 08 26 17 27 52,089]\[error] error registering secret with kmip server /dev/nvme15 traceback (most recent call last) file "/opt/ocient/utils/test/ocutil sh runfiles/xgsrc/python/ocutil/ockmip py", line 232, in initdrives self client register(data) file "/opt/ocient/utils/test/ocutil sh runfiles/pip packages pykmip/site packages/kmip/pie/client py", line 41, in wrapper return function(self, args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ file "/opt/ocient/utils/test/ocutil sh runfiles/pip packages pykmip/site packages/kmip/pie/client py", line 573, in register raise exceptions kmipoperationfailure(status, reason, message) kmip pie exceptions kmipoperationfailure operation failed general failure \[ncerrinsufficientpermissions] to fix this, regenerate the certificate on the endpoint of the thales device (as the root ca has no trust) in the thales administrator disk replacement after you swap a disk, initialize it using the ockmip utility to add the encryption secret to thales ockmip service status check the status after the boot of the system to ensure that all drives have been correctly unlocked \[root\@ppolllercs00007 ]# journalctl u ockmip s today sep 12 12 38 09 ppolllercs00007 systemd\[1] starting oneshot service to unlock nvme drives via ockmip script using secrets stored in kmip service sep 12 12 38 10 ppolllercs00007 ockmip\[2681] \[2024 09 12 12 38 10,623]\[info] using conf file /var/opt/ocient/ockmip conf sep 12 12 38 11 ppolllercs00007 ockmip\[2681] \[2024 09 12 12 38 11,221]\[info] unlocking drive(s) timeouts when contacting thales if there is a network outage, or thales maintenance happens, you might see this output when you attempt to unlock the drives sep 12 17 05 59 ppolllercs0000d systemd\[1] starting oneshot service to unlock nvme drives via ockmip script using secrets stored in kmip service sep 12 17 06 01 ppolllercs0000d ockmip\[3346] \[2024 09 12 17 06 01,040]\[info] using conf file /var/opt/ocient/ockmip conf sep 12 17 06 31 ppolllercs0000d ockmip\[3346] \[2024 09 12 17 06 31,345]\[error] an error occurred while connecting to appliance cmttnprd5a t mobile com timed out sep 12 17 06 31 ppolllercs0000d ockmip\[3346] \[2024 09 12 17 06 31,346]\[error] could not open client connection timed out sep 12 17 06 31 ppolllercs0000d ockmip\[3346] \[2024 09 12 17 06 31,346]\[error] unable to open connection to kmip server related links docid\ se gpnu ygkmlyrkj9an docid 5vdoeimcg9i6p xff 6b