Migrating eCryptfs-Encrypted Data to dm-crypt
As of August 2015, Filesystem-level encryption using eCryptfs is deprecated. Use this procedure to migrate to dm-crypt.
RHEL 7 does not support eCryptfs. For new installations on RHEL 7, you must use Block-Level Encryption with dm-crypt. If you are planning on upgrading to RHEL 7 and are currently using eCryptfs, migrate to dm-crypt before upgrading.
Warning: Before encrypting or
decrypting any data, stop all processes (for example, MySQL, MongoDB, PostgreSQL, and so on) that have access to the target data. Failure to do so could lead to data
corruption.
- Prepare an empty block device. This can be a physical block device (such as an unused disk) or a virtual block device (for example, a logical block device created by LVM, or a loop device). For instructions on creating a loop device, see Block-Level Encryption with a Loop Device.
- Stop any services which depend on the encrypted data to be moved.
- Prepare a block-level encrypted mount point. See Preparing for Encryption Using Cloudera Navigator Encrypt for details about the procedure.
- Add ACL rules for the new encrypted mount point that match the ACL rules for the mount point you are migrating from. To view existing ACL rules, run sudo navencrypt acl --print.
- Add an ACL rule for your preferred shell (for example, /bin/bash) to enable command-line utilities such as mv and
cp:
$ sudo navencrypt acl --add --rule="ALLOW @category * /bin/bash"
- Copy the encrypted data from the eCryptfs mount point to the dm-crypt mount point:
$ sudo cp -rp /ecryptfs/mountpoint/path/to/data /dmcrypt/mountpoint/path/to/data
- Update any symbolic links referencing the encrypted data. The following example demonstrates updating a symbolic link for a PostgreSQL database that was originally encrypted using
eCryptfs, but has been migrated to dm-crypt:
$ sudo ls -l /var/lib/db/data/base/16385 lrwxrwxrwx 1 root root 72 Jul 22 15:33 /var/lib/db/data/base/16385 -> /ecryptfs/mountpoint/postgres/var/lib/db/data/base/16385 $ sudo ln -sif /dmcrypt/mountpoint/postgres/var/lib/db/data/base/16385 /var/lib/db/data/base/16385 $ sudo ls -l /var/lib/db/data/base/16385 lrwxrwxrwx 1 root root 72 Jul 22 15:33 /var/lib/db/data/base/16385 -> /dmcrypt/mountpoint/postgres/var/lib/db/data/base/16385
- Remove the ACL rule enabling command-line utilities:
$ sudo navencrypt acl --del --rule="ALLOW @category * /bin/bash"
- Restart any services which depend on the encrypted data.
- Verify that the data was successfully copied, then delete the original eCryptfs-encrypted data. Do not delete any data until you are certain that you no longer
need the original data.
- Stop the navencrypt-mount service:
$ sudo service navencrypt-mount stop
- Remove the original mountpoint directory and the storage directory with the original encrypted data.
- Edit /etc/navencrypt/ztab and remove entries for the original encrypted directory where eCryptfs is listed as the
<type>.
Important: Use caution when editing the /etc/navencrypt/ztab file. Entries are tab-separated (not space-separated). The ztab file must not contain empty lines.
- Start the navencrypt-mount service:
$ sudo service navencrypt-mount start
- Stop the navencrypt-mount service:
Page generated July 8, 2016.
<< Encrypting and Decrypting Data Using Cloudera Navigator Encrypt | ©2016 Cloudera, Inc. All rights reserved | Navigator Encrypt Access Control List >> |
Terms and Conditions Privacy Policy |