Terminated HTTPS certs and keys in encrypted ramfs

This patch adds an element that causes the terminated HTTPS
certificates and keys to be stored in an encrypted ramfs path
so they are encrypted at rest.

Change-Id: Id0f80f311d37d5691087e855fb1291011451c851
Closes-Bug: #1627370
This commit is contained in:
Michael Johnson 2016-09-25 01:40:23 +00:00
parent e4162aa5b4
commit f85e617a84
9 changed files with 106 additions and 0 deletions

View File

@ -357,6 +357,9 @@ fi
# Add pip-cache element
AMP_element_sequence="$AMP_element_sequence pip-cache"
# Add certificate ramfs ecrypt element
AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
# Allow full elements override
if [ "$DIB_ELEMENTS" ]; then
AMP_element_sequence="$DIB_ELEMENTS"

View File

@ -0,0 +1,4 @@
Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
Enabling this element will mean that the amphroa can no longer recover from a
reboot.

View File

@ -0,0 +1,2 @@
dib-init-system
package-installs

View File

@ -0,0 +1,15 @@
[unit]
Description=Creates an encrypted ramfs for Octavia certs
After=cloud-config.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
RemainAfterExit=yes
TimeoutSec=0
[Install]
# TODO(johnsom) Fix when amphora-agent has a systemd script
WantedBy=multi-user.target

View File

@ -0,0 +1,45 @@
### BEGIN INIT INFO
# Provides: cert-ramfs-ecrypt
# Required-Start: $remote_fs $syslog $network cloud-config
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Creates an encrypted ramfs for Octavia certs
# Description: Creates an encrypted ramfs for Octavia TLS
# certificates and key storage.
### END INIT INFO
# Using the lsb functions to perform the operations.
. /lib/lsb/init-functions
# Process name ( For display )
NAME=cert-ramfs-ecrypt
case $1 in
start)
log_daemon_msg "Starting the process" "$NAME"
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
mkdir -p $certs_path
mount -t ramfs -o size=1m ramfs $certs_path
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping the process" "$NAME"
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
umount $certs_path
umount $certs_path
log_end_msg 0
;;
restart)
# Restart the daemon.
$0 stop && sleep 2 && $0 start
;;
*)
# For invalid arguments, print the usage message.
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 2
;;
esac

View File

@ -0,0 +1,19 @@
description "Creates an encrypted ramfs for Octavia certs"
start on started cloud-config
stop on runlevel [!2345]
pre-start script
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
mkdir -p $certs_path
mount -t ramfs -o size=1m ramfs $certs_path
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
end script
post-stop script
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
umount $certs_path
umount $certs_path
end script

View File

@ -0,0 +1,4 @@
ecryptfs-utils:
keyutils:
libecryptfs0:
libnss3-1d:

View File

@ -0,0 +1,2 @@
cert-ramfs-ecrypt:
default: cert-ramfs-ecrypt

View File

@ -0,0 +1,12 @@
---
upgrade:
- To enabled encrypted ramfs storage for certificates
and keys, you must upgrade your amphora image.
deprecations:
- Amphora with a terminated HTTPS load balancer can
no longer be rebooted. If they reboot, they will
trigger a failover of the amphora.
security:
- Certificate and key storage for terminated HTTPS
load balancers is now in an encrypted ramfs path
inside the amphora.