DRBD Encryption for ESC HA Data Replication
ESC uses DRBD for data replication across different nodes in an HA cluster environment. DRBD layers logical block device over existing local block devices on cluster nodes.
The written data to the primary node is transferred to the lower-level block device and simultaneously propagated to the secondary
node(s). Currently ESC mounts DRBD device directly on /opt/cisco/esc/esc_database
.
# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 2961760 0 2961760 0% /dev
tmpfs 2972164 4 2972160 1% /dev/shm
tmpfs 2972164 8748 2963416 1% /run
…
tmpfs 594436 0 594436 0% /run/user/1004
/dev/mapper/esc_crypt 3028620 57212 2797848 3% /opt/cisco/esc/esc_database
Block device encryption encrypts or decrypts the data transparently as it is written/read from block devices, the underlying block device sees only encrypted data.
Security is enhanced with the dm-crypt/LUKS
layer to encrypt the data in DRBD partition, between filesystem and DRBD device. LUKS (Linux Unified Key Setup) is a specification
for block device encryption.