\u6700\u8fd1\u3067\u306f\u30d1\u30d6\u30ea\u30c3\u30af\u30af\u30e9\u30a6\u30c9\u306f\u30b7\u30b9\u30c6\u30e0\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u306e\u9078\u629e\u80a2\u306e\u4e00\u3064\u3068\u3057\u3066\u4e00\u822c\u7684\u306b\u306a\u308a\u3001\u591a\u65b9\u9762\u3067\u5f53\u305f\u308a\u524d\u306e\u3088\u3046\u306b\u4f7f\u308f\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n
AWS\u3001GCP\u3001Azure\u306e\u4e09\u5927\u30af\u30e9\u30a6\u30c9\u306b\u304a\u3044\u3066\u306f\u53b3\u683c\u306a\u76e3\u67fb\u306e\u4e0a\u3067\u4fe1\u983c\u6027\u306e\u9ad8\u3044\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u898f\u5236\u3084\u76e3\u67fb\u898f\u683c\u306e\u4e16\u754c\u7684\u306a\u8a8d\u8a3c\u30fb\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3092\u53d6\u5f97\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u4eca\u56de\u7d39\u4ecb\u3059\u308b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30b5\u30a4\u30c9\u306e\u30c7\u30a3\u30b9\u30af\u6697\u53f7\u5316\u3092\u7528\u3044\u306a\u304f\u3066\u3082\u975e\u5e38\u306b\u9ad8\u3044\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ec\u30d9\u30eb\u3067\u904b\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u7279\u306bAWS\u306b\u304a\u3044\u3066\u306fAWS KMS\u3068\u3044\u3046\u9375\u7ba1\u7406\u30b5\u30fc\u30d3\u30b9\u3092\u7528\u3044\u308b\u3053\u3068\u3067\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30b5\u30a4\u30c9\u306e\u30ad\u30fc\u30de\u30c6\u30ea\u30a2\u30eb\u304b\u3089\u751f\u6210\u3057\u305f\u30ab\u30b9\u30bf\u30de\u30fc\u30de\u30b9\u30bf\u30fc\u30ad\u30fc(CMK)\u3092\u4f7f\u7528\u3057\u305f\u6697\u53f7\u5316\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u3092EBS\u3092\u59cb\u3081\u3068\u3059\u308b\u5404\u30b5\u30fc\u30d3\u30b9\u3067\u5229\u7528\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u3057\u304b\u3057\u306a\u304c\u3089\u3001\u91d1\u878d\u7cfb\u3001\u6d41\u901a\u7cfb\u306a\u3069\u91cd\u8981\u60c5\u5831\u3084\u500b\u4eba\u60c5\u5831\u3092\u6271\u3046\u696d\u754c\u3067\u306f\u4e00\u90e8\u306e\u4f01\u696d\u304c\u30d1\u30d6\u30ea\u30c3\u30af\u30af\u30e9\u30a6\u30c9\u3092\u6d3b\u7528\u3057\u59cb\u3081\u3066\u3044\u308b\u3082\u306e\u306e\u3001\u60c5\u5831\u30b7\u30b9\u30c6\u30e0\u306e\u30c7\u30fc\u30bf\u3092\u30d1\u30d6\u30ea\u30c3\u30af\u30af\u30e9\u30a6\u30c9\u306b\u4fdd\u5b58\u3059\u308b\u3053\u3068\u306f\u672a\u3060\u306b\u5fc3\u7406\u7684\u30cf\u30fc\u30c9\u30eb\u304c\u9ad8\u3044\u3088\u3046\u3067\u3059\u3002<\/p>\n
\u4eca\u56de\u306f\u305d\u306e\u3088\u3046\u306a\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u304b\u3089\u306e\u5805\u7262\u306a\u6697\u53f7\u5316\u3092\u5fc5\u8981\u3068\u3059\u308b\u60c5\u5831\u30b7\u30b9\u30c6\u30e0\u3067AWS\u3092\u3055\u3089\u306b\u30bb\u30ad\u30e5\u30a2\u306b\u4f7f\u7528\u3059\u308b\u4e00\u3064\u306e\u6848\u3068\u3057\u3066\u3001Linux\u30b5\u30fc\u30d0\u306b\u304a\u3051\u308bLUKS\u6697\u53f7\u5316\u306e\u65b9\u6cd5\u3092\u8a18\u8f09\u3057\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n
\u203bLUKS\u306fAWS KMS\u306e\u6697\u53f7\u5316\u3068\u306f\u9055\u3046\u30ec\u30a4\u30e4\u30fc\u3067\u306e\u6697\u53f7\u5316\u3092\u884c\u3046\u305f\u3081\u3001AWS KMS\u3068LUKS\u3092\u4f75\u7528\u3059\u308b\u3053\u3068\u3067\u4e8c\u91cd\u6697\u53f7\u5316\u304c\u5b9f\u73fe\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u57fa\u672c\u65b9\u91dd\u3068\u3057\u3066\u306f\u4e0b\u8a18\u306e3\u3064\u306b\u5206\u3051\u3066\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u7528\u610f\u3057\u3066\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30b5\u30a4\u30c9\u306e\u79d8\u5bc6\u9375\u306b\u3088\u308b\u30c7\u30a3\u30b9\u30af\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u6697\u53f7\u5316\u30fb\u5fa9\u53f7\u306e\u904b\u7528\u304c\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u7279\u306b\u300cLUKS\u306b\u3088\u308b\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u3092\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u8d77\u52d5\u6642\u306b\u30ea\u30e2\u30fc\u30c8\u30b5\u30fc\u30d0\u304b\u3089SSH\u7d4c\u7531\u3067\u5fa9\u53f7\u3059\u308b\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u300d\u306b\u3064\u3044\u3066\u306f\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u306e\u30d0\u30c3\u30c1\u30b5\u30fc\u30d0\u304b\u3089SSH\u7d4c\u7531\u3067LUKS\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u3092\u4f7f\u7528\u3059\u308b\u5bfe\u8c61\u30b5\u30fc\u30d0\u306b\u79d8\u5bc6\u9375\u3092\u8ee2\u9001\u3057\u3001\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u3092\u5fa9\u53f7\u30fb\u30de\u30a6\u30f3\u30c8\u5f8c\u3001\u79d8\u5bc6\u9375\u3092\u5bfe\u8c61\u30b5\u30fc\u30d0\u304b\u3089\u524a\u9664\u3059\u308b\u904b\u7528\u3092\u60f3\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u3053\u306e\u904b\u7528\u306b\u3088\u308a\u3001\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u304b\u3089\u306e\u30d0\u30c3\u30c1\u51e6\u7406\u304c\u884c\u308f\u308c\u306a\u3044\u3068LUKS\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u306f\u5fa9\u53f7\u3067\u304d\u306a\u3044\u305f\u3081\u3001EBS\u30c7\u30a3\u30b9\u30af\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ec\u30d9\u30eb\u3092\u3088\u308a\u4e00\u5c64\u9ad8\u304f\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u3055\u3089\u306b\u5192\u982d\u3067\u3082\u89e6\u308c\u307e\u3057\u305f\u304cAWS KMS\u3067\u6697\u53f7\u5316\u3057\u305fEBS\u306b\u5bfe\u3057\u3066\u3082LUKS\u6697\u53f7\u5316\u306f\u9069\u7528\u3067\u304d\u308b\u305f\u3081\u3001AWS KMS\u3068LUKS\u306e\u4e8c\u91cd\u6697\u53f7\u5316\u304c\u53ef\u80fd\u3067\u3059\u3002<\/p>\n
\u4f59\u8ac7\u3067\u3059\u304c\u3001AWS KMS\u3082\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u3067\u7528\u610f\u3057\u305f\u30ad\u30fc\u30de\u30c6\u30ea\u30a2\u30eb\u3092\u4f7f\u7528\u3057\u3066\u30ab\u30b9\u30bf\u30de\u30fc\u30de\u30b9\u30bf\u30fc\u30ad\u30fc(CMK)\u3092\u751f\u6210\u3067\u304d\u307e\u3059(\u305f\u3060\u3057\u3001\u30ab\u30b9\u30bf\u30de\u30fc\u30de\u30b9\u30bf\u30fc\u30ad\u30fc\u306f\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u3067\u4fdd\u5b58\u3059\u308b\u308f\u3051\u3067\u306f\u306a\u304fAWS KMS\u306b\u4fdd\u5b58\u3055\u308c\u308b)\u3002<\/p>\n
\u305d\u306e\u305f\u3081\u3001\u300c\u30ab\u30b9\u30bf\u30de\u30fc\u30de\u30b9\u30bf\u30fc\u30ad\u30fc\u3092\u7528\u3044\u305fAWS KMS\u306b\u3088\u308bEBS\u6697\u53f7\u5316\u300d\u3068\u300c\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u306b\u79d8\u5bc6\u9375\u3092\u4fdd\u5b58\u3059\u308bLUKS\u30c7\u30a3\u30b9\u30af\u6697\u53f7\u5316\u300d\u3092\u4f75\u7528\u3059\u308b\u65b9\u6cd5\u304c\u4f4e\u30b3\u30b9\u30c8\u3067\u5b9f\u73fe\u3067\u304d\u308bEBS\u6697\u53f7\u5316\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u3067\u306f\u306a\u3044\u304b\u3068\u500b\u4eba\u7684\u306b\u8003\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u307e\u305a\u3001LUKS\u306b\u3088\u308b\u6697\u53f7\u5316\u30fb\u5fa9\u53f7\u3092\u64cd\u4f5c\u3059\u308b\u30b3\u30de\u30f3\u30c9cryptsetup\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002
\nCentOS7\u3067\u306f\u4e0b\u8a18\u306e\u30b3\u30de\u30f3\u30c9\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3067\u304d\u307e\u3059\u3002<\/p>\n
\r\n[magtranetwork@localhost ~]# yum install -y cryptsetup cryptsetup-libs\r\n<\/pre>\n\u6b21\u306b\u4e00\u756a\u6700\u521d\u306b\u6697\u53f7\u5316\u7528\u306e\u79d8\u5bc6\u9375\u3092\u751f\u6210\u3057\u3001\u30a2\u30bf\u30c3\u30c1\u3057\u305fEBS\u30c7\u30a3\u30b9\u30af\u306e\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u3092\u6697\u53f7\u5316\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3059\u308b\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n
\u4e0b\u8a18\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3042\u308bVOL_DEV\u3001KEY_DIR\u3001KEY_NAME\u306a\u3069\u306e\u5024\u306f\u81ea\u5206\u306e\u74b0\u5883\u306b\u4f75\u305b\u3066\u5909\u66f4\u3057\u3066\u4e0b\u3055\u3044\u3002<\/p>\n
\r\n[magtranetwork@localhost ~]# vim luks_format_by_org_key.sh\r\n<\/pre>\n\r\n#!\/bin\/bash\r\n\r\nVOL_DEV=\/dev\/xvdf\r\nKEY_DIR=~\/.luks\r\nKEY_NAME=luks.pem\r\nLUKS_KEY_PATH=${KEY_DIR}\/${KEY_NAME}\r\n\r\n#\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u3092\u30e9\u30f3\u30c0\u30e0\u306a\u30c7\u30fc\u30bf\u3067\u57cb\u3081\u3066\u96e3\u8aad\u5316\u3059\u308b\r\n#t2.small\u3067EBS100GB\u304c\u7d0440\u5206\u7a0b\u5ea6\u306e\u6642\u9593\u304c\u304b\u304b\u308b\r\nshred -v --iterations=1 ${VOL_DEV}\r\n\r\n#\u4f5c\u6210\u3057\u305f\u9375\u3092\u4fdd\u5b58\u3059\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\r\nmkdir -p ${KEY_DIR}\r\n\r\n#openssl genrsa\u30b3\u30de\u30f3\u30c9\u3067LUKS\u306e\u6697\u53f7\u5316\u30fb\u5fa9\u53f7\u306b\u4f7f\u7528\u3059\u308b\u79d8\u5bc6\u9375\u3092\u751f\u6210\r\nopenssl genrsa 2024 > ${LUKS_KEY_PATH}\r\n\r\n#cryptsetup\u3067\u751f\u6210\u3057\u305f\u79d8\u5bc6\u9375\u3092\u7528\u3044\u3066luks\u306b\u3088\u308b\u6697\u53f7\u5316\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3092\u884c\u3046\u3002\r\ncryptsetup luksFormat --key-file=${LUKS_KEY_PATH} ${VOL_DEV}\r\n\r\n<\/pre>\n\u6697\u53f7\u5316\u5bfe\u8c61\u306eEBS\u3092\u30a2\u30bf\u30c3\u30c1\u3057\u305f\u72b6\u614b\u3067\u4f5c\u6210\u3057\u305fluks_format_by_org_key.sh\u3092\u5b9f\u884c\u3059\u308b\u3068\u4e0b\u8a18\u306e\u3088\u3046\u306b\u51fa\u529b\u3055\u308c\u307e\u3059\u3002
\n\u9014\u4e2d\u3067\u672c\u5f53\u306b\u6697\u53f7\u5316\u3059\u308b\u304b\u306e\u78ba\u8a8d\u3092\u8981\u6c42\u3055\u308c\u307e\u3059\u306e\u3067\u5927\u6587\u5b57\u3067\u300cYES\u300d\u3092\u5165\u529b\u3057\u3066\u6697\u53f7\u5316\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3092\u5b8c\u4e86\u3055\u305b\u307e\u3059\u3002<\/p>\n\r\n[magtranetwork@localhost ~]# chmod 755 luks_format_by_org_key.sh\r\n[magtranetwork@localhost ~]# .\/luks_format_by_org_key.sh\r\nshred: \/dev\/xvdf: \u7d4c\u904e 1\/1 (random)...\r\nshred: \/dev\/xvdf: \u7d4c\u904e 1\/1 (random)...197MiB\/10GiB 1%\r\n\uff5e\u7701\u7565\uff5e\r\nshred: \/dev\/xvdf: \u7d4c\u904e 1\/1 (random)...10GiB\/10GiB 100%\r\nGenerating RSA private key, 2024 bit long modulus\r\n........+++\r\n.................................................................+++\r\ne is 65537 (0x10001)\r\n\r\nWARNING!\r\n========\r\nThis will overwrite data on \/dev\/xvdf irrevocably.\r\n\r\nAre you sure? (Type uppercase yes): YES \u2190\u5927\u6587\u5b57\u3067YES\u3092\u5165\u529b\u3057\u3001luksFormat\u3092\u5b8c\u4e86\u3055\u305b\u308b\u3002\r\n<\/pre>\nLUKS\u306b\u3088\u308b\u6700\u521d\u306e\u5fa9\u53f7\u3001\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3001\u30de\u30a6\u30f3\u30c8\u3092\u884c\u3046\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8<\/h3>\n
luks_format_by_org_key.sh\u306b\u3088\u308b\u6700\u521d\u306e\u6697\u53f7\u5316\u304c\u5b8c\u4e86\u3057\u305f\u3089\u3001\u6b21\u306b\u6700\u521d\u306e\u5fa9\u53f7\u3068\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u30c7\u30a3\u30b9\u30af\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30de\u30a6\u30f3\u30c8\u3092\u4e0b\u8a18\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u884c\u3044\u307e\u3059\u3002<\/p>\n
\u4e0b\u8a18\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3042\u308bVOL_DEV\u3001KEY_DIR\u3001KEY_NAME\u3001MAPPER_NAME\u3001MOUNT_PATH\u306a\u3069\u306e\u5024\u306f\u81ea\u5206\u306e\u74b0\u5883\u306b\u4f75\u305b\u3066\u5909\u66f4\u3057\u3066\u4e0b\u3055\u3044\u3002<\/p>\n
\r\n[magtranetwork@localhost ~]# vim luks_open_first_time_by_org_key.sh\r\n<\/pre>\n\r\n#!\/bin\/bash\r\n\r\nVOL_DEV=\/dev\/xvdf\r\nKEY_DIR=~\/.luks\r\nKEY_NAME=luks.pem\r\nLUKS_KEY_PATH=${KEY_DIR}\/${KEY_NAME}\r\nMAPPER_NAME=luks\r\nMOUNT_PATH=\/mnt\/luks_disk\r\n\r\n#cryptsetup\u30b3\u30de\u30f3\u30c9\u3067\u79d8\u5bc6\u9375\u3092\u7528\u3044\u3066\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u3092\u5fa9\u53f7\u30aa\u30fc\u30d7\u30f3\u3059\u308b\u3002\r\ncryptsetup luksOpen ${VOL_DEV} ${MAPPER_NAME} --key-file=${LUKS_KEY_PATH}\r\n\r\n#\u5fa9\u53f7\u3057\u305f\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u30c7\u30a3\u30b9\u30af\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3092\u884c\u3046\u3002\r\nmkfs.xfs \/dev\/mapper\/${MAPPER_NAME}\r\n\r\n#\u30de\u30a6\u30f3\u30c8\u3059\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u4f5c\u6210\r\nmkdir -p ${MOUNT_PATH}\r\n\r\n#\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3057\u305f\u5fa9\u53f7\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u3092\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30de\u30a6\u30f3\u30c8\u3059\u308b\u3002\r\nmount \/dev\/mapper\/${MAPPER_NAME} ${MOUNT_PATH}\r\n\r\n<\/pre>\n\u5b9f\u969b\u306bluks_open_first_time_by_org_key.sh\u3092\u5b9f\u884c\u3059\u308b\u3068LUKS\u306e\u5fa9\u53f7\u3001\u30c7\u30a3\u30b9\u30af\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30de\u30a6\u30f3\u30c8\u304c\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n
\r\n[magtranetwork@localhost ~]# chmod 755 luks_open_first_time_by_org_key.sh\r\n[magtranetwork@localhost ~]# .\/luks_open_first_time_by_org_key.sh\r\n\r\n<\/pre>\nLUKS\u306b\u3088\u308b\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u3092\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u8d77\u52d5\u6642\u306b\u30ea\u30e2\u30fc\u30c8\u30b5\u30fc\u30d0\u304b\u3089SSH\u7d4c\u7531\u3067\u5fa9\u53f7\u3059\u308b\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8<\/h3>\n
\u3053\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306fLUKS\u306b\u3088\u308b\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u3092\u6301\u3064EC2\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306bSSH\u7d4c\u7531\u3067\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u308b\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u306e\u30d0\u30c3\u30c1\u30b5\u30fc\u30d0\u3067\u5b9f\u884c\u3059\u308b\u3053\u3068\u3092\u60f3\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u305f\u3060\u3001SSH\u30ed\u30b0\u30a4\u30f3\u304c\u3067\u304d\u308c\u3070EC2\u306e\u4ed6\u306e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3084LUKS\u306b\u3088\u308b\u6697\u53f7\u5316\u30c7\u30a3\u30b9\u30af\u3092\u6301\u3064EC2\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u305d\u306e\u3082\u306e\u304b\u3089\u3082\u5b9f\u884c\u3059\u308b\u3053\u3068\u306f\u53ef\u80fd\u3067\u3059\u3002<\/p>\n
\u3053\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u306f\u30ea\u30e2\u30fc\u30c8\u30b5\u30fc\u30d0\u304b\u3089SSH\u7d4c\u7531\u3067sudo\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u3001\/etc\/sudoers\u3092\u4e0b\u8a18\u306e\u4f8b\u306e\u3088\u3046\u306b\u5909\u66f4\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
\r\n#\u25a0sudoers\u306e\u4f8b\uff1assh\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u30e6\u30fc\u30b6\u304cbatch-user\u306e\u5834\u5408\r\n\r\n#requiretty\u306e\u7121\u52b9\u5316\r\n#Defaults requiretty\r\n\r\n#batch-user\u306eroot\u30b3\u30de\u30f3\u30c9\u5b9f\u884c\u8a31\u53ef\r\nbatch-user ALL=(ALL) ALL\r\n\r\n#batch-user\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u7121\u3057\u3067\u306e\u5b9f\u884c\u8a31\u53ef\r\n%batch-user ALL=(ALL) NOPASSWD: ALL\r\n<\/pre>\ncheck_ins_and_open_luks_via_ssh.sh\u306e\u5b9f\u88c5\u306e\u5185\u5bb9\u306f\u307e\u305a\u3001AWS CLI\u3067\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u72b6\u614b\u3001\u30b7\u30b9\u30c6\u30e0\u30b9\u30c6\u30fc\u30bf\u30b9\u3001\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u30b9\u30c6\u30fc\u30bf\u30b9\u3092\u53d6\u5f97\u3057\u3001\u5168\u3066\u304c\u6b63\u5e38\u3067\u3042\u308c\u3070SSH\u3092\u65bd\u884c\u3057\u3001SSH\u30ed\u30b0\u30a4\u30f3\u304c\u53ef\u80fd\u3067\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002
\n\u305d\u3057\u3066\u3001\u79d8\u5bc6\u9375\u3092\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u304b\u3089EC2\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3078\u8ee2\u9001\u3057\u3066LUKS\u306e\u5fa9\u53f7\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30de\u30a6\u30f3\u30c8\u3092\u884c\u3044\u3001\u79d8\u5bc6\u9375\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/p>\n\u4e0b\u8a18\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3042\u308bINS_IP\u3001SSH_USER\u3001SSH_KEY_PATH\u3001VOL_DEV\u3001KEY_DIR\u3001KEY_NAME\u3001MAPPER_NAME\u3001MOUNT_PATH\u306a\u3069\u306e\u5024\u306f\u81ea\u5206\u306e\u74b0\u5883\u306b\u4f75\u305b\u3066\u5909\u66f4\u3057\u3066\u4e0b\u3055\u3044\u3002<\/p>\n
\r\n[magtranetwork@localhost ~]# vim check_ins_and_open_luks_via_ssh.sh\r\n<\/pre>\n\r\n#!\/bin\/bash\r\n\r\nINS_IP=10.0.0.5\r\nSSH_USER=batch-user\r\nSSH_KEY_PATH=~\/.ssh\/id_rsa\r\nVOL_DEV=\/dev\/xvdf\r\nKEY_DIR=\/home\/${SSH_USER}\/.luks\r\nKEY_NAME=luks.pem\r\nLUKS_KEY_PATH=${KEY_DIR}\/${KEY_NAME}\r\nMAPPER_NAME=luks\r\nMOUNT_PATH=\/mnt\/luks_disk\r\n\r\n#AWS CLI\u3067\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9ID\u3092\u53d6\u5f97\u3059\u308b\u3002\r\nINS_ID=`aws --output text ec2 describe-instances --filter "Name=private-ip-address,Values=${INS_IP}" --query 'Reservations[].Instances[].InstanceId'`\r\n\r\n#AWS CLI\u3067\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u72b6\u614b\u3092\u53d6\u5f97\u3059\u308b\u3002\r\nSTATE=`aws --output text ec2 describe-instances --instance-ids ${INS_ID} --query 'Reservations[].Instances[].State[].Name'`\r\n\r\n#AWS CLI\u3067\u30b7\u30b9\u30c6\u30e0\u30b9\u30c6\u30fc\u30bf\u30b9\u3092\u53d6\u5f97\u3059\u308b\u3002\r\nSYSTEM_STATUS=`aws --output text ec2 describe-instance-status --instance-ids ${INS_ID} --query 'InstanceStatuses[].SystemStatus[].Details[].Status'`\r\n\r\n#AWS CLI\u3067\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u30b9\u30c6\u30fc\u30bf\u30b9\u3092\u53d6\u5f97\u3059\u308b\u3002\r\nINSTANCE_STATUS=`aws --output text ec2 describe-instance-status --instance-ids ${INS_ID} --query 'InstanceStatuses[].InstanceStatus[].Details[].Status'`\r\n\r\n#\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u72b6\u614b\u304crunning\u3001\u30b7\u30b9\u30c6\u30e0\u30b9\u30c6\u30fc\u30bf\u30b9\u304cpassed\u3001\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u30b9\u30c6\u30fc\u30bf\u30b9\u304cpassed\u3068\u306a\u3063\u305f\u5834\u5408\u306bssh\u306e\u72b6\u614b\u3092\u78ba\u8a8d\u3057\u3001\u63a5\u7d9a>\u3092\u8a66\u307f\u308b\u3002\r\nif [ "${STATE}" = "running" -a "${SYSTEM_STATUS}" = "passed" -a "${INSTANCE_STATUS}" = "passed" ]; then\r\n\r\n CAN_SSH=1\r\n #ssh\u30b3\u30de\u30f3\u30c9\u304c\u5b9f\u884c\u3067\u304d\u308b\u304b\u3092\u8a66\u3057\u3066\u30b3\u30de\u30f3\u30c9\u30b9\u30c6\u30fc\u30bf\u30b9\u3092\u78ba\u8a8d\u3059\u308b\u3002\r\n ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "uname -a"\r\n RES=$?\r\n if [ "${RES}" != "0" ]; then\r\n CAN_SSH=0\r\n fi\r\n\r\n #ssh\u63a5\u7d9a\u304c\u6b63\u5e38\u306b\u3067\u304d\u308b\u5834\u5408\u306b\u79d8\u5bc6\u9375\u3092\u8ee2\u9001\u3057\u3001LUKS\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u5fa9\u53f7\u3068\u30de\u30a6\u30f3\u30c8\u3092\u884c\u3046\u3002\r\n if [ "${CAN_SSH}" = "1" ]; then\r\n #LUKS\u306e\u5fa9\u53f7\u304c\u3059\u3067\u306b\u884c\u308f\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3002\r\n IS_LUKS=`ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "ls -1 \/dev\/mapper\/ | grep ^${MAPPER_NAME}\\$ | wc -l"`\r\n\r\n #LUKS\u306e\u5fa9\u53f7\u304c\u884c\u308f\u308c\u3066\u3044\u306a\u3051\u308c\u3070\u3001\u79d8\u5bc6\u9375\u3092\u8ee2\u9001\u3057\u3066\u5fa9\u53f7\u3059\u308b\u3002\r\n if [ "${IS_LUKS}" = "0" ]; then\r\n ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "mkdir -p ${KEY_DIR}"\r\n scp -i ${LUKS_KEY_PATH} ${LUKS_KEY_PATH} ${SSH_USER}@${INS_IP}:${LUKS_KEY_PATH}\r\n ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "sudo cryptsetup luksOpen ${VOL_DEV} ${MAPPER_NAME} --key-file=${LUKS_KEY_PATH}"\r\n fi\r\n\r\n #\u8907\u5408\u3057\u305fLUKS\u306e\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u304c\u30de\u30a6\u30f3\u30c8\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3002\r\n IS_MOUNT=`ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "df | grep ^\/dev\/mapper\/${MAPPER_NAME} | grep ${MOUNT_PATH}\\$ | wc -l"`\r\n\r\n #\u8907\u5408\u3057\u305fLUKS\u306e\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u304c\u30de\u30a6\u30f3\u30c8\u3055\u308c\u3066\u3044\u306a\u3051\u308c\u3070\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30de\u30a6\u30f3\u30c8\u3059\u308b\u3002\r\n if [ "${IS_MOUNT}" = "0" ]; then\r\n ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "sudo mkdir -p ${MOUNT_PATH}"\r\n ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "sudo mount \/dev\/mapper\/${MAPPER_NAME} ${MOUNT_PATH}"\r\n fi\r\n\r\n #\u5fa9\u53f7\u3001\u30de\u30a6\u30f3\u30c8\u306e\u4f5c\u696d\u306b\u95a2\u308f\u3089\u305a\u3001\u30ea\u30e2\u30fc\u30c8\u306b\u8ee2\u9001\u3055\u308c\u305f\u79d8\u5bc6\u9375\u3092\u524a\u9664\u3059\u308b\u3002\r\n ssh -i ${SSH_KEY_PATH} ${SSH_USER}@${INS_IP} "rm -f ${LUKS_KEY_PATH}"\r\n else\r\n #SSH\u30b5\u30fc\u30d3\u30b9\u304c\u7acb\u3061\u4e0a\u304c\u3063\u3066\u3044\u306a\u3051\u308c\u3070\u6a19\u6e96\u51fa\u529b\u3002\r\n echo "SSH Service is NOT Available yet."\r\n fi\r\nfi\r\n\r\n<\/pre>\n\u5b9f\u969b\u306bcheck_ins_and_open_luks_via_ssh.sh\u3092\u5b9f\u884c\u3059\u308b\u3068EC2\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e3\u3064\u306e\u30c1\u30a7\u30c3\u30af\u9805\u76ee\u306e\u78ba\u8a8d\u3068SSH\u63a5\u7d9a\u306b\u3088\u308bLUKS\u5fa9\u53f7\u51e6\u7406\u3001\u30de\u30a6\u30f3\u30c8\u304c\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n
\u5b9f\u969b\u306e\u904b\u7528\u3092\u8003\u3048\u308b\u3068\u3001\u30d0\u30c3\u30c1\u30b5\u30fc\u30d0\u3067\u3053\u306e\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30d0\u30c3\u30c1\u51e6\u7406\u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u3057\u3066\u6570\u5206\u6bce\u306b\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u5b9f\u884c\u3057\u3001EC2\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u518d\u8d77\u52d5\u306b\u5099\u3048\u308b\u306e\u304c\u826f\u3044\u3067\u3057\u3087\u3046\u3002<\/p>\n
\r\n[magtranetwork@localhost ~]# chmod 755 check_ins_and_open_luks_via_ssh.sh\r\n[magtranetwork@localhost ~]# .\/check_ins_and_open_luks_via_ssh.sh\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"\u6700\u8fd1\u3067\u306f\u30d1\u30d6\u30ea\u30c3\u30af\u30af\u30e9\u30a6\u30c9\u306f\u30b7\u30b9\u30c6\u30e0\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u306e\u9078\u629e\u80a2\u306e\u4e00\u3064\u3068\u3057\u3066\u4e00\u822c\u7684\u306b\u306a\u308a\u3001\u591a\u65b9\u9762\u3067\u5f53\u305f\u308a\u524d\u306e\u3088\u3046\u306b\u4f7f\u308f\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u304d\u307e\u3057\u305f\u3002 AWS\u3001GCP\u3001Azure\u306e\u4e09\u5927\u30af\u30e9\u30a6\u30c9\u306b\u304a\u3044\u3066\u306f\u53b3\u683c\u306a\u76e3\u67fb\u306e\u4e0a\u3067\u4fe1\u983c\u6027\u306e\u9ad8\u3044\u30bb […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[3,81,22,189,79,82],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/posts\/5603"}],"collection":[{"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/comments?post=5603"}],"version-history":[{"count":4,"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/posts\/5603\/revisions"}],"predecessor-version":[{"id":5610,"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/posts\/5603\/revisions\/5610"}],"wp:attachment":[{"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/media?parent=5603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/categories?post=5603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.magtranetwork.com\/wp-json\/wp\/v2\/tags?post=5603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}