1.Sign into the AWS Management Console and navigate to the IAM console . In the navigation pane, choose Policies , choose CreatePolicy . Choose the JSON tab, paste in the followingJSON code, andthen choose Review Policy . Nameand describe the policy, andthen choose CreatePolicytosave your work. For more details, see Creating Customer Managed Policies .{"Version": "2012-10-17","Statement": [ {"Sid": "VisualEditor0","Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::<your-bucket-name>/LuksInternalStorageKey" } ]}The precedingpolicy grants read access to the bucket where the encryptedpasswordis stored. This policyis used by the EC2 instance, which requires you to configure an IAM role. You will configure KMS permissions later in this post. (The following instructions have been updated since the original blog post.)2."Select type of trusted entity: Choose AWS service .3."Select the service that will use this role": Choose EC2 then choose Next: Permissions.4.Choose the policy you created in Step 1 and then choose Next: Review.5.On the Create role page, type your role name , a Role description, and choose Create role .6.The newly created IAM role is now ready. You will use it when launching new EC2 instances, which will have the permission to access the encrypted password file in the S3 bucket.
Next,useKMStoencryptasecretpassword.ToencrypttextbyusingKMS,youmustuseAWSCLI.AWSCLIisinstalledbydefaultonEC2AmazonLinuxinstancesandyoucaninstallitonLinux,Windows,orMaccomputers.ToencryptasecretpasswordwithKMSandstoreitintheS3bucket:FromtheAWSCLI,typethefollowingcommandtoencryptasecretpasswordbyusingKMS (replace <your-region>withyourregion). You must have the right permissions in order to create keys and put objects in S3 (for more details, see Using IAM Policies with AWS KMS ). In this example, I have used AWS CLI on the Linux OS to encrypt and generate the encrypted password file.aws--region<your-region>kmsencrypt--key-id'alias/<your-key-alias>'--plaintext'<your-password>'--queryCiphertextBlob--outputtext|base64--decode>LuksInternalStorageKeyawss3cpLuksInternalStorageKeys3://<your-bucket-name>/LuksInternalStorageKeyTheprecedingcommandsencryptthepassword (Base64 isusedtodecodetheciphertext). The command outputs the results to a file called LuksInternalStorageKey. It also creates a key alias (keyname) that makes it easy to identify different keys; thealiasiscalled<your-key-alias>.ThefileisthencopiedtotheS3bucketcreatedearlierinthispost.
在 EC2 console之中激活一个新的实例 (具体详见 this tutorial)。 可使用Amazon Linux AMI 2017.09.1 (HVM), 采用SSD卷类 (若不使用Amazon Linux AMI则需要在最开始创建一个脚本用于安装python, pip 和 AWS CLI)。
在步骤3: Configure Instance Details中:
IAM role中,请选择 你的身份名
User Data中,请将下面的代码块中的尖括号中的内容替换成你需要的值,然后粘贴到TigerGraph的安装脚本中。
加密动作的启动脚本
#!/bin/bashdb_user=tigergraph## Initial setup to be executed on boot##====================================# Create an empty file. This file will be used to host the file system.# In this example we create a <disk-size> (for example: 60G) file at <path-to-encrypted-file> (for example: /home/tigergraph/gstore_enc).ddof=<path-to-encrypted-file>bs=<disk-size>count=0seek=1# Lock down normal access to the file.chmod600<path-to-encrypted-file># Associate a loopback device with the file.losetup/dev/loop0<path-to-encrypted-file>#Copy encrypted password file from S3. The password is used to configure LUKE later on.awss3cps3://<your-bucket-name>/LuksInternalStorageKey.# Decrypt the password from the file with KMS, save the secret password in LuksClearTextKeyLuksClearTextKey=$(aws--region<your-region>kmsdecrypt--ciphertext-blobfileb://LuksInternalStorageKey--outputtext--queryPlaintext|base64--decode)# Encrypt storage in the device. cryptsetup will use the Linux# device mapper to create, in this case, /dev/mapper/tigergraph_gstore.# Initialize the volume and set an initial key.echo"$LuksClearTextKey"|cryptsetup-yluksFormat/dev/loop0# Open the partition, and create a mapping to /dev/mapper/tigergraph_gstore.echo"$LuksClearTextKey"|cryptsetupluksOpen/dev/loop0tigergraph_gstore# Clear the LuksClearTextKey variable because we don't need it anymore.unsetLuksClearTextKey# Create a file system and verify its status.mke2fs-j-Odir_index/dev/mapper/tigergraph_gstore# Mount the new file system to /mnt/secretfs.mkdir-p/mnt/secretfsmount/dev/mapper/tigergraph_gstore/mnt/secretfs# create user tigergraphadduser $db_user# Change the permission so that only tigergraph has access to the file systemchmod-R700/mnt/secretfschown-R $db_user:$db_user /mnt/secretfs# Install TigerGraph# Run the one-command installation script with TigerGraphh root path under /mnt/secretfs