Encryption At Rest (EAR) Considerations for Swarm Upgrades

Owned by John Bell
Last updated: Sept 14, 2021

Overview

DataCore Swarm supports Encryption At Rest (EAR) in order to provide full disk encryption of Swarm disks / volumes. Prior to and including Swarm 11.0.x, Swarm EAR volumes were encrypted using Linux Unified Key Setup (LUKS) version 1. Subsequent Swarm versions (11.1+) implemented EAR using LUKS version 2. This article outlines guidance for EAR support when it’s necessary to upgrade from Swarm versions using LUKS version 1 to LUKS version 2.

LUKS version defaults

  • The default LUKS version for Swarm 11.0.x or earlier is LUKS version 1

  • The default LUKS version for Swarm 11.1+ is LUKS version 2

Compatibility Guidance

  • Swarm volumes formatted with LUKS version 2 under Swarm 11.1+ will not be recognized as valid Swarm volumes by versions prior to and including Swarm 11.0.x. This will result in a reformat of those volumes when rolling back to Swarm 11.0.x or earlier when aborting an upgrade attempt to a later version. The data on such volumes will be lost as a result! Follow the steps outlined in “Guidance for Upgrade Safety” below to avoid this scenario.

  • Swarm volumes formatted with LUKS version 1 under Swarm 11.0.x or earlier can be utilized under Swarm 12.0+ subject to guidance outlined below for upgrade/rollback scenarios.

Guidance for Upgrade Safety

When preparing for an upgrade from Swarm 11.0.x or earlier to 12.0+, the following steps should be performed if a rollback of Swarm versions is anticipated:

  • Explicitly set disk.encryptionType = luks1 in node.cfg or cluster.cfg for the Swarm cluster (whichever is appropriate) before rebooting the storage nodes into the new version (Swarm 12.0+)

  • If rollback is required, comment out the above then boot the cluster back into the original version (Swarm 11.0.x or earlier)

The above procedure will protect data in the cluster when the potential for adding new nodes / drives exists post-upgrade but then subsequent rollback is deemed necessary.

NOTE: the disk.encryptionType setting is not dynamic and can only be set on node / cluster restart. Once it’s determined that the upgrade to Swarm 12.0+ is successful and no rollback will be required, it’s recommended that the setting disk.encryptionType = luks1 be commented out / removed from the node / cluster configuration files, followed by a reboot of the nodes in the cluster. This will insure that all subsequent nodes / volumes added to the cluster will utilize LUKS version 2 for EAR, which is the recommended LUKS version.

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.