Remote unlocking encrypted VM in xcp-NG

fred974 · October 21, 2019, 3:52pm

Hi,

I have a small xcp-NG lab of 3 hosts in a HA cluster.
All the VMs in the cluster are encrypted for security. I was testing HA today and realised that my HA is not really working as I still have to manually enter the password at the console to unlock the VM.
Even with monitoring in place, It can take little while for someone to realised that the VM is down and need a password.

The VM having the issue are all debian9 so far.
Is there a way/tool to automate this process somehow? or is this the price to pay for security?

Thank you

LTS_Tom · October 21, 2019, 7:37pm

There are ways you can create a key server that the system reaches out to locally to unlock the server. I have never set on up, I just know it’s possible.

kevdog · November 12, 2019, 6:07am

Just curious what your encryption scheme is, and how your computers are setup. Is root encrypted or just data partitions? What algorithm and file systems are you using?

fred974 · November 12, 2019, 10:43am

Hi,

We use debian OS, When we install the os, we set it to full disk encryption.

Hope this help.
Fred

LTS_Tom · November 12, 2019, 11:16am

We also base our servers on Debian with full disk encryption https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html