Storage encryption for hosted applications with cryptctl

How can I do this " Storage encryption for hosted applications with cryptctl" on Rocky or could I use SUSE as the server and have Rocky get the keys from here?

I basically want to do this:

  1. “Encryption keys are located on a central server”.
  2. “A client is a machine that has one or more encrypted partitions but does not permanently
    store the necessary key to decrypt those partitions. For example, clients can be cloud or
    otherwise hosted machines”
  3. “The server holds encryption keys that can be requested by clients to unlock encrypted
    partitions.”

Hi,

As far as I see it’s a SUSE project, so doesn’t exist yet on other systems. But, that aside, even if it was available, from the link that you posted it’s not currently possible to encrypt partitons - only directories.

The following interactive setup of cryptctl is currently the only setup method.

Make sure the following preconditions are fulfilled:

A cryptctl server is available over the network.
There is a directory to encrypt.
The client machine has an empty partition available that is large enough to fit the directory to encrypt.

perhaps sometime in the future they will offer the functionality to actually encrypt partitions. The only problem I see with this is, since some partitions would have to be unencrypted to actually boot for a start, and the / partition also, since the network isn’t active until at least part of the system has booted at least anyway. So not sure how they would do that since, first the network needs to be active, and second, their client app needs to communicate with the server holding the keys.

@iwalker,

Thanks for the reply, okay lets drop the partition part and talk about having a “Encryption keys are located on a central server” for 1) (un)encrypting folders, 2) encrypting communication for http (internet and local) and local network (ssh, IDM, etc.,).

I’m still reading and studying RHEL Manuals, but so far I have not found how to configure such a task. Can you link me to such a documentation / guide?

Well, as per the link you put, cryptctl doesn’t do that either. SSH is already encrypted, just like HTTPS is HTTP with encryption. Although that’s not the same as end-to-end encryption or sending encrypted data via a HTTPS connection. Vendors/companies that make such type of applications do all that development work themselves anyway.

I don’t really understand your question or what you are trying to achieve to be honest. Your post lacks a lot of information for anyone to be able to suggest anything anyway.

Oh yea, I should’ve been more clear. I’ve created test network using hyper-v with: 1) private switch for all VM’s, 2) 1 external switch for pfSense VM router, 3) internal switch for a host connection using its own IP net like 10.10.10.100-etc for selected VM’s. This will be my test company local network. As I’m reading the guide on a IDM Server, I want this server to handle all cert’s for the network including http connections from user from the internet.

I may have gotten you and myself off tract wanting to use SUSE for the Central Cert Server, but it looks like IDM is really what I need, but in addition to IDM servicing cert’s for network related stuff I also want to be able to:

  1. solicite the IDM Server for the keys to (un)encrypt folders,
  2. I have my own CA Cert and want to install it on the IDM Server for HTTP encryption both for the internet and local connection.
  3. use ssl keys for logging in to certain parts of the network locally as well as some employees from home.

Is this an over stretch or can this be accomplished using a IDM Server? I don’t want to have keys all over the place inside each VM (OS System). My goal is to go live next summer of 2022 and working on Security first.