Is it possible to mount an encrypted NSS volume from a command line vs. NSSMU?

  • 7016054
  • 12-Jan-2015
  • 12-Jan-2015

Environment

Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 (OES 2) Linux

Situation

Due to corporate mandate, IT departments may need to implement encryption of stored data.  Further, they may need to have all data brought on line after a server reboot -- without manual intervention.

Resolution

There is not a way to do so with OES2 or previous.

With OES 11 and later, the NLVM command line interface can be utilized to pass the volume encryption password with the volume mount command:
nlvm volume mount <volume_name> [encryption_password]
As NSS cannot mount an encrypted volume at load time (due to no password available), this would need to be passed/executed in /etc/init.d/after.local file.  (NOTE: see "additional info" section for methods to increase security on the encryption password).

Additional Information

In OES2 and previous, the volume manager was LVM.  Therefore, nssmu was the only method to get the encryption password entered.

With OES 11 and following, the volume manager was changed to NLVM which has a command line option of encryption password.  Needless to say, not having the password entered by a human is a potential security risk (as it's stored on the file system).  One way to alleviate some of the risk is to put the password for a given file into a file in a protected area.  (If it can be stored in an encrypted state which can be decrypted during boot, that would be even more secure).  If the password is stored in a file, then the line in after.local would appear as:

with unencrypted file:
     nlvm volume mount <volume_name> `cat /pathToFile/fileWithPassword`

with encrypted password in file:
    nlvm volume mount <volume_name> `cat /pathToFile/fileWithPassword |binaryToDecryptPassword`

Feedback service temporarily unavailable. For content questions or problems, please contact Support.