Environment
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 2 (OES 2) Linux
Situation
Due to corporate mandate, IT departments may need to implement encryption of stored data. Further, they may need to have all data brought on line after a server reboot -- without manual intervention.
Resolution
There is not a way to do so with OES2 or previous.
With OES 11 and later, the NLVM command line interface can be utilized to pass the volume encryption password with the volume mount command:
With OES 11 and later, the NLVM command line interface can be utilized to pass the volume encryption password with the volume mount command:
nlvm volume mount <volume_name> [encryption_password]As NSS cannot mount an encrypted volume at load time (due to no password available), this would need to be passed/executed in /etc/init.d/after.local file. (NOTE: see "additional info" section for methods to increase security on the encryption password).
Additional Information
In OES2 and previous, the volume manager was LVM. Therefore, nssmu was the only method to get the encryption password entered.
With OES 11 and following, the volume manager was changed to NLVM which has a command line option of encryption password. Needless to say, not having the password entered by a human is a potential security risk (as it's stored on the file system). One way to alleviate some of the risk is to put the password for a given file into a file in a protected area. (If it can be stored in an encrypted state which can be decrypted during boot, that would be even more secure). If the password is stored in a file, then the line in after.local would appear as:
with unencrypted file:
nlvm volume mount <volume_name> `cat /pathToFile/fileWithPassword`
with encrypted password in file:
nlvm volume mount <volume_name> `cat /pathToFile/fileWithPassword |binaryToDecryptPassword`
With OES 11 and following, the volume manager was changed to NLVM which has a command line option of encryption password. Needless to say, not having the password entered by a human is a potential security risk (as it's stored on the file system). One way to alleviate some of the risk is to put the password for a given file into a file in a protected area. (If it can be stored in an encrypted state which can be decrypted during boot, that would be even more secure). If the password is stored in a file, then the line in after.local would appear as:
with unencrypted file:
nlvm volume mount <volume_name> `cat /pathToFile/fileWithPassword`
with encrypted password in file:
nlvm volume mount <volume_name> `cat /pathToFile/fileWithPassword |binaryToDecryptPassword`