非活跃数据（Data At Rest）的加密

# TigerGraph数据库的用户名, 例如: tigergraph
export db_user='<username>'
​
# 数据加密文件的保存路径, 例如: /home/tigergraph/secretfs
export encrypted_file_path='<path-to-encrypted-file>'
​
# 数据加密文件的大小 (通过dd命令创建), 例如: 60G
export encrypted_file_size=<storage-size>
​
# 数据加密文件的密码, 例如: DataAtRe5tPa55w0rd
export encryption_password='<password>'
​
# TigerGraph的根目录地址, 例如: $HOME/tigergraph
export tigergraph_root="<tigergraph-root>"
​
# 为数据加密文件映射配置第一个可用的loop设备
export loop_device=$(losetup -f)

dd of=$encrypted_file_path bs=$encrypted_file_size count=0 seek=1

chmod 600 $encrypted_file_path

sudo losetup $loop_device $encrypted_file_path

sudo cryptsetup -y luksFormat $loop_device 

echo "$encryption_password" | cryptsetup -y luksFormat $loop_device 

sudo cryptsetup luksOpen $loop_device tigergraph_gstore 

echo "$encryption_password" | cryptsetup luksOpen $loop_device tigergraph_gstore

unset encryption_password
history -c
history -w

sudo mke2fs -j -O dir_index /dev/mapper/tigergraph_gstore

sudo mkdir -p /mnt/secretfs
sudo mount /dev/mapper/tigergraph_gstore /mnt/secretfs

sudo chmod -R 700 /mnt/secretfs
sudo chown -R $db_user:$db_user /mnt/secretfs

mv $tigergraph_root/gstore /mnt/secretfs/gstore
ln -s /mnt/secretfs/gstore $tigergraph_root/gstore

mv $tigergraph_root /mnt/secretfs/tigergraph
ln -s /mnt/secretfs/tigergraph $tigergraph_root

登录S3管理界面并选择“创建桶”
输入需要创建的桶的名字，并点击Create按钮
你可以在右侧看到该桶的具体信息

1.Sign in to the AWS Management Console and navigate to the IAM console . In the navigation pane, choose Policies , choose Create Policy . Choose the JSON tab, paste in the following JSON code, and then choose Review Policy . Name and describe the policy, and then choose Create Policy to save your work. For more details, see Creating Customer Managed Policies .
​
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<your-bucket-name>/LuksInternalStorageKey"
        }
    ]
}
The preceding policy grants read access to the bucket where the encrypted password is stored. This policy is used by the EC2 instance, which requires you to configure an IAM role. You will configure KMS permissions later in this post. 
(The following instructions have been updated since the original blog post.)
​
2."Select type of trusted entity: Choose AWS service .
3."Select the service that will use this role": Choose EC2 then choose Next: Permissions.
4.Choose the policy you created in Step 1 and then choose Next: Review.
5.On the Create role page, type your role name , a Role description, and choose Create role .
6.The newly created IAM role is now ready. You will use it when launching new EC2 instances, which will have the permission to access the encrypted password file in the S3 bucket.

Next, use KMS to encrypt a secret password. To encrypt text by using KMS, you must use AWS CLI . AWS CLI is installed by default on EC2 Amazon Linux instances and you can install it on Linux, Windows, or Mac computers.
​
To encrypt a secret password with KMS and store it in the S3 bucket:
​
From the AWS CLI, type the following command to encrypt a secret password by using KMS (replace <your-region> with your region). You must have the right permissions in order to create keys and put objects in S3 (for more details, see Using IAM Policies with AWS KMS ). In this example, I have used AWS CLI on the Linux OS to encrypt and generate the encrypted password file.
aws --region <your-region> kms encrypt --key-id 'alias/<your-key-alias>' --plaintext '<your-password>' --query CiphertextBlob --output text | base64 --decode > LuksInternalStorageKey
​
aws s3 cp LuksInternalStorageKey s3://<your-bucket-name>/LuksInternalStorageKey
The preceding commands encrypt the password (Base64 is used to decode the cipher text). The command outputs the results to a file called LuksInternalStorageKey. It also creates a key alias (key name) that makes it easy to identify different keys; the alias is called <your-key-alias> . The file is then copied to the S3 bucket created earlier in this post.

#!/bin/bash
​
db_user=tigergraph
​
## Initial setup to be executed on boot
##====================================
# Create an empty file. This file will be used to host the file system.
# In this example we create a <disk-size> (for example: 60G) file at <path-to-encrypted-file> (for example: /home/tigergraph/gstore_enc).
dd of=<path-to-encrypted-file> bs=<disk-size> count=0 seek=1
​
# Lock down normal access to the file.
chmod 600 <path-to-encrypted-file>
​
# Associate a loopback device with the file.
losetup /dev/loop0 <path-to-encrypted-file>
​
#Copy encrypted password file from S3. The password is used to configure LUKE later on.
aws s3 cp s3://<your-bucket-name>/LuksInternalStorageKey .
​
# Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
LuksClearTextKey=$(aws --region <your-region> kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
​
​
# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/tigergraph_gstore.
# Initialize the volume and set an initial key.
echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/loop0
​
# Open the partition, and create a mapping to /dev/mapper/tigergraph_gstore.
echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/loop0 tigergraph_gstore
​
# Clear the LuksClearTextKey variable because we don't need it anymore.
unset LuksClearTextKey
​
# Create a file system and verify its status.
mke2fs -j -O dir_index /dev/mapper/tigergraph_gstore
​
# Mount the new file system to /mnt/secretfs.
mkdir -p /mnt/secretfs
mount /dev/mapper/tigergraph_gstore /mnt/secretfs
​
# create user tigergraph
adduser $db_user
​
# Change the permission so that only tigergraph has access to the file system
chmod -R 700 /mnt/secretfs
chown -R $db_user:$db_user /mnt/secretfs
​
# Install TigerGraph
# Run the one-command installation script with TigerGraphh root path under /mnt/secretfs