Idea
-
So I had possibly a weird idea. Not sure if anyone else has done this, if they have I'd like to look at it. Our RHEL workstations have 256 GB of RAM. We need to encrypt workstation drives for compliance reasons even if nothing is stored on them. I had an idea to load an initramfs from something like an sd card to boot up and then create a ~4-8GB RAMDisk for the OS. Then it would pull a real image and load it into the RAMDisk. Treating a fat client like a thin client, but then loading the actual OS onto it.
This deals with encrypting data at rest, because there is no data at rest. It also gives us a performance boost for our engineering software.
Stupid idea?
-
@johnhooks That's an interesting idea. I've never done it though
-
@wirestyle22 said in Idea:
@johnhooks That's an interesting idea. I've never done it though
Thanks. I'm sure someone at some point has created something like this. But I'd like to do it with our high end workstations.
-
Sounds valid, but keeping things up to date might be an issue.
-
4-8 GB for the OS? what OS are you running so lean on?
-
@Dashrender said in Idea:
4-8 GB for the OS? what OS are you running so lean on?
A full RHEL Workstation install only uses around 4GB of space. Depending what packages you add on after it's somewhere between 4-8.
-
Sounds valid, but keeping things up to date might be an issue.
ya good point. That might be a hurdle.
-
@Dashrender said in Idea:
4-8 GB for the OS? what OS are you running so lean on?
4GB is plenty in a core Linux system, even with a full blown desktop and a running LibreOffice for example.
-
@johnhooks I thought about something like this myself, but more in the context of LUKS on a Pi without storing the key on the SD-Card. Would be interesting to see your approach
-
@Dashrender said in Idea:
4-8 GB for the OS? what OS are you running so lean on?
That's plenty for an OS.
-
This is a pretty standard set up. This is basically how we ran the school that I built in the early 2000s. The system image was pulled fresh over the network and ran in memory. Very effective.
-
@scottalanmiller said in Idea:
This is a pretty standard set up. This is basically how we ran the school that I built in the early 2000s. The system image was pulled fresh over the network and ran in memory. Very effective.
Is that the one you used SUSE for?
-
@scottalanmiller said in Idea:
This is a pretty standard set up. This is basically how we ran the school that I built in the early 2000s. The system image was pulled fresh over the network and ran in memory. Very effective.
In the modern world how would you accomplish this? What would you use?
-
@Dashrender said in Idea:
4-8 GB for the OS? what OS are you running so lean on?
RHEL/CentOS can do useful things with ~500MB for a complete system. Depending on what they're doing, 4GB for the system drive could be more than enough for years to come.
@johnhooks Do you use a separate partition or mount point for /home? Generally you'd encrypt the home (data) sections and leave the OS as a standard install. Things like encfs make this easy to do. Encrypting everything takes more work and monkeying around with LVM, copying everything, etc.
At least with LVM, you should be able to get everything done on a live system. Yeah, it lets you do things like this.
-
@travisdh1 said in Idea:
@Dashrender said in Idea:
4-8 GB for the OS? what OS are you running so lean on?
RHEL/CentOS can do useful things with ~500MB for a complete system. Depending on what they're doing, 4GB for the system drive could be more than enough for years to come.
@johnhooks Do you use a separate partition or mount point for /home? Generally you'd encrypt the home (data) sections and leave the OS as a standard install. Things like encfs make this easy to do. Encrypting everything takes more work and monkeying around with LVM, copying everything, etc.
At least with LVM, you should be able to get everything done on a live system. Yeah, it lets you do things like this.
We automount home from NFS. Only thing that's actually on these systems is the root partition and we have to separate /var, /var/log, and a couple others for SCAP.
-
@wirestyle22 said in Idea:
@scottalanmiller said in Idea:
This is a pretty standard set up. This is basically how we ran the school that I built in the early 2000s. The system image was pulled fresh over the network and ran in memory. Very effective.
In the modern world how would you accomplish this? What would you use?
All you need is a PXE capable network interface on the workstations. It's not exactly easy, but very doable for anyone that knows Linux.
-
So it's kind of ridiculous that we need to encrypt the drive on the workstation since there is nothing on it. But we are forced to. Logs are also sent to an rsyslog server, so if I can just do away with the drive that would be nice ha.
-
@wirestyle22 said in Idea:
@scottalanmiller said in Idea:
This is a pretty standard set up. This is basically how we ran the school that I built in the early 2000s. The system image was pulled fresh over the network and ran in memory. Very effective.
In the modern world how would you accomplish this? What would you use?
Like this for example:
-
@johnhooks said in Idea:
So it's kind of ridiculous that we need to encrypt the drive on the workstation since there is nothing on it. But we are forced to. Logs are also sent to an rsyslog server, so if I can just do away with the drive that would be nice ha.
I'd almost just setup network boot then. Everything uses the same system image/software. If you need to add/update software, you do that and then save the results as the new system image.
-
@travisdh1 said in Idea:
@wirestyle22 said in Idea:
@scottalanmiller said in Idea:
This is a pretty standard set up. This is basically how we ran the school that I built in the early 2000s. The system image was pulled fresh over the network and ran in memory. Very effective.
In the modern world how would you accomplish this? What would you use?
All you need is a PXE capable network interface on the workstations. It's not exactly easy, but very doable for anyone that knows Linux.
So I'm building a pretty robust VM host server to be used as a test environment. Any recommendations as far as a multi-port PXE capable NIC? Not to highjack the thread.
