So I have had the chance to work with Navigator Encrypt once again and I inevitably come to the part where I have to create encrypted filesystems (navencrypt-prepare) on a brand new host. This is simple enough - no issues there. What confuses me is the need for using navencrypt-move. I just don't get why I would need to run this command on a newly built host with no existing data. It seems redundant.
Granted, I also don't tend to use the navencypt ACLs. That would be one reason why I could see to use navencrypt-move.
Can anyone explain the purpose of navencrypt-move on a fresh machine?
Navencryt-move is a nessecary component of the Navencrypt suite. Navencrypt operates at the kernel level using file system hooks. The module relies on a number of components to control data access including file pathing both inside of and outside of the encrypted volume. The information and options specified in the move operation are connected to parts of the module authentication framework.
Navencrypt should not be used in administrative or permissive modes perpetually. You should be using ACLs of some kind, we document these options and controls. You should not perform writes directly to encrypted volumes but rather you should be using the originally linked paths. You should not prepare and mount disk to the original data directories you intend to use for your applications. If you have questions related to the operation and deployment of this part of the software stack please engage members of your account team for additional guidance.
@lhebert after reading your post i have a few additional questions. before i ask i will mention what i did
1. sudo navencrypt-prepare --use-uuid /dev/sda1 /hadoop/encrypted/sda
2. after that lsblk looks like this
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.5T 0 disk
└─sda1 8:1 0 1.5T 0 part
└─sda 253:13 0 1.5T 0 crypt /hadoop/encrypted/sda
3. This was a new install and was empty. I put it in permissive mode and then moved files from my home directory to /hadoop/encrypted/sda/
4. Then changed to enforcing
5. Added acls that were needed for an app to read those files.
Do you see anything wrong in step 3) ?
Regarding this statement "You should not perform writes directly to encrypted volumes but rather you should be using the originally linked paths. You should not prepare and mount disk to the original data directories you intend to use for your applications"
Looks like from above i am performing writes directly to encrypted volumes. If i use the navencrypt-move command then its creating a symlink from my home directory to /hadoop/encrypted/sda, which did not look right .
The symbolic link is intentional but less important as its primary purpose is to ultimately prevent the need for changes in configured/operating software. The navencrypt-move tool creates a specific storage architecture in the encrypted "container" that is uses to identify monitored spaces for which the kernel module applies controls. If you are not using this structure the ACLs will not work properly unless you are using the Universal ACL which then applies little to no control over data access.