Encryption is a method used to scramble data, ensuring that only authorized parties can decrypt it.
By encrypting your data, you can rest assured that it remains secure even in the event of a stolen disk or a network eavesdropper.
However, encryption comes with the cost of reduced performance. You may experience a loss of up to 30% in speed depending on your workload.
In case of losing your password, there is no way we can recover your data.
Firstly, your group/project administrator (a/some designated person or PI) creates a key (called a protector) and locks (called policies), or multiple keys and locks depending on the needs of your internal rules.
You also create a key (protector) for yourself, and the group admin adds that to the correct lock (policy). Then, you can use those policies to encrypt the folder you own.
Those who are protectors in the policy can unlock the folder that has been encrypted by that policy.
To do that, the group/project admin creates a protector and secures it with their own password:
sg GROUPADMINS-GROUPNAME -c \
"fscrypt metadata create protector /mnt/lustre --source=custom_passphrase --name=${USER}_a-name-for-the-protector"
Then, they create the policy:
sg GROUPADMINS-GROUPNAME -c \
"fscrypt metadata create policy /mnt/lustre --protector=/mnt/lustre:ID-OF-THE-PROTECTOR-FROM-PREVIOUS-COMMAND"
Group/project admins MUST run the following command on the policy to adjust the permissions for other admins of the group/project:
chmod g+rw /mnt/lustre/.fscrypt/policies/ID-OF-POLICY-FROM-PREVIOUS-COMMAND
# Admins: Please check the permissions on the file to ensure that you have given read/write permission to the correct group.
# It should be the admins group of your group, not the group itself or other groups that you are part of.
ls -l /mnt/lustre/.fscrypt/policies/ID-OF-POLICY-FROM-PREVIOUS-COMMAND
and Finally the group/project admin shares the created policy with you via:
# Share the policy with the whole group/project members
setfacl -m g:YOUR-GROUPNAME:r /mnt/lustre/.fscrypt/policies/ID-OF-POLICY-FROM-PREVIOUS-COMMAND
# Share it with a spesific user
setfacl -m u:YOUR-USERNAME:r /mnt/lustre/.fscrypt/policies/ID-OF-POLICY-FROM-PREVIOUS-COMMAND
In return, you create your own protector like before with a temporary password:
fscrypt metadata create protector /mnt/lustre --source=custom_passphrase --name=${USER}_a-name-for-the-protector
And giving the read permission to the group admin to access it via:
setfacl -m g:GROUPADMINS-GROUPNAME:r /mnt/lustre/.fscrypt/protectors/ID-OF-PROTECTOR-FROM-PREVIOUS-COMMAND
You should send the ID of the protector you just created along with the temporary password you assigned to it to the group admin.
Then, the group admin adds your protector to the desired policy:
fscrypt metadata add-protector-to-policy --protector=/mnt/lustre:YOUR-PROTECTOR-ID --policy=/mnt/lustre:THE-POLICY-ID
After your protector is added, you MUST change the password on your protector with:
fscrypt metadata change-passphrase --protector=/mnt/lustre:YOUR-PROTECTOR-ID
Now you can encrypt folders and files for which you are the owner:
fscrypt encrypt --policy=/mnt/lustre:ID-OF-THE-SHARED-POLICY /mnt/lustre/TO-THE-FOLDER
You can unlock and lock your encrypted folders like this:
fscrypt unlock /mnt/lustre/TO-THE-FOLDER
fscrypt lock /mnt/lustre/TO-THE-FOLDER
Check the status and get the IDs of policies and protectors of the encrypted filesystem as follows:
# Overall
fscrypt status /mnt/lustre/
# A specific folder
fscrypt status /mnt/lustre/TO-THE-FOLDER
NOTE: Please keep the ${USER}_ part in the name of your protector. It adds your username to the key name you choose and allow us a beter overview later.
Encryption can only be enabled on an empty directory. To encrypt an existing directory, first copy the contents elsewhere and then delete the original files, e.g.:
$ mkdir new_dir
$ fscrypt encrypt new_dir
$ cp -a -T old_dir new_dir
$ find old_dir -type f -print0 | xargs -0 shred -n1 --remove=unlink
$ rm -rf old_dir
Beware that the original unencrypted files may still be forensically recoverable from disk even after being shredded and deleted, especially if using an SSD. It is better to encrypt data from the start.
One way is to pipe the password to the fscrypt unlock. For example:
#!/bin/bash
#SBATCH --job-name=my_job
#SBATCH --nodes=1
#SBATCH --ntasks-per-node=1
# Load necessary modules or activate the environment
# Commands to unlock the encrypted folder
# *** Ensure that the permissions of my_password.txt are set to 600. ***
cat my_password.txt | fscrypt unlock /mnt/lustre/TO-THE-FOLDER --quite
# Run your job commands here
# For example:
# ./your_executable
# Commands to lock the encrypted folder after the job completes
fscrypt lock /mnt/lustre/TO-THE-FOLDER
Please ensure the file containing your password is only readable by you.
Obviously, the password file itself can't be inside the encrypted folder.
Remove a user's protector from your policy to stop them from unlocking and encrypting:
fscrypt metadata remove-protector-from-policy --policy=/mnt/lustre:THE-POLICY-ID --protector=/mnt/lustre:PROTECTOR-ID-OF-USER
Don't forget to remove their read permission on the policy if they should not have access to the policy anymore.
Cut the access of a user to a policy without removing their protector by:
setfacl -x u:THEIR-USERNAME /mnt/lustre/.fscrypt/policies/THE-POLICY-ID
# You can check permissions on your policies by:
getfacl /mnt/lustre/.fscrypt/protectors/THE-POLICY-ID
Despite our regular and frequent backups of all the protectors and policies existing on the filesystem, it's recommended that you have your own backup of your protectors and policies.
Simply copy their respective files under /mnt/lustre/.fscrypt/{policies,protectors}/PROTECTOR-OR-POLICY-ID to a secure location.
Removing a policy removes the access to all files/folders encrypted with that policy. Please beware of that.
Again, please don't forget to change the temporary password of your protector (key). And always name your protector starting with your username.
You can't encrypt subfolders of an encrypted folder with a different policy.
An unlocked encrypted folder is like normal folders, only protected by POSIX permissions. i.e., Once a user unlocks a folder, others with read/write permission can access the files and folders inside it.
Enabling encryption on a folder by default masks any group/other permissions on the folder (just the folder itself). Remove the mask by:
setfacl -m m::rwx /mnt/lustre/TO-THE-FOLDER
If you have any questions, don't hesitate to open tickets. We will be happy to answer and adjust the documentation.
Finally, we can enable encryption on the parent group/project folder of yours if you think it's easier for you. But there will be no fine-grained access control/key management by us, only a shared key used by all members of your group/project.