Ensuring the security of sensitive data is paramount, especially when hosting critical applications like Zabbix and PostgreSQL. Implementing full disk encryption for partitions hosting the data directories of these services on RHEL 9 or CentOS 9 provides a robust layer of protection against unauthorized physical access to the storage. This process typically utilizes LUKS, the Linux Unified Key Setup, which is the standard for disk encryption on Linux systems.
The fundamental approach involves creating or identifying a dedicated partition for the data. This partition is then encrypted using the cryptsetup tool. A strong passphrase is required during the initial setup (luksFormat). Once encrypted, the partition can be unlocked (luksOpen), creating a new block device (a mapper device, often named descriptively, like data_crypt). This mapper device is the one that is formatted with a standard filesystem such as XFS or ext4.
After formatting, the mapper device is mounted to the desired location, which should correspond to the data directory paths for Zabbix (commonly /var/lib/zabbix) and PostgreSQL (typically /var/lib/pgsql). For this encryption to be effective and the system to boot correctly, the encrypted volume must be unlocked automatically during the boot process. This is achieved by configuring entries in the system’s /etc/crypttab and /etc/fstab files.
The /etc/crypttab file is crucial for specifying which encrypted partitions should be unlocked at boot and how. This can be done using a passphrase stored in a key file or, less securely, embedding the passphrase directly (not recommended). Using a dedicated key file stored on a separate, potentially unencrypted, root partition is a common method for automated unlocking. The entry maps the mapper device name to the physical encrypted partition’s UUID (obtained via blkid).
Once the encrypted volume is unlocked via /etc/crypttab, the corresponding mapper device becomes available. The /etc/fstab file is then used to automatically mount this mapper device to the specified mount point (e.g., /var/lib/pgsql) during system startup. It is essential to ensure that the mount point is empty before the encrypted volume is mounted, and that the mount dependencies are correctly handled during the boot sequence so the decryption happens before the filesystem is needed.
By correctly configuring LUKS with cryptsetup, setting up automatic unlocking via /etc/crypttab with a secure key file, and configuring automatic mounting via /etc/fstab, the data partitions for Zabbix and PostgreSQL on RHEL 9 or CentOS 9 can be effectively encrypted. This significantly enhances the data security posture of the server. After setup, verify that data is indeed being written to the encrypted volume and that the system reboots successfully, unlocking and mounting the volume automatically.
Source: https://infotechys.com/full-disk-encryption-on-rhel-9/
