How to use the encrypted password for fence devices in the cluster configuration file?

Environment

Red Hat Enterprise Linux Server 5 to 9 High Availability and Resilient Storage Clusters

Issue

• I don't want the stonith device credentials to be visible when running any pcs command.
• Is it possible to use encrypted passwords for fencing devices?

Resolution

The password for fence devices could be encrypted using GNP GPG and then a custom script could be used to decrypt the encrypted passwords.

In RHEL 5 and RHEL 6 where the cluster is based in rgmanager and /etc/cluster/cluster.conf exists, this custom script could be used with the passwd_script parameter.

In RHEL 6 and later where the cluster is based in Pacemaker, this custom script could be used with the password_script parameter in the stonith device configuration.

1. Create a gpg key which has no passphare using gpg --gen-key:

   • Additional Note ( For Rhel 8+ ): Rhel 8 uses gpg 2.2.20-2 which includes updated options.
   • The --gen-key argument can still be used with Rhel 8 and will accomplish the same thing, but will include less options and a reduced guide.
   • The --full-generate-key argument is needed instead, for the full options and guide displayed in the example below.

      e.g.
      $ gpg --full-generate-key  # On Rhel 8
             or 
      $ gpg --gen-key            # On Rhel 6 & 7
      gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
      This program comes with ABSOLUTELY NO WARRANTY.
      This is free software, and you are welcome to redistribute it
      under certain conditions. See the file COPYING for details.
   
      gpg: directory `/root/.gnupg' created
      gpg: new configuration file `/root/.gnupg/gpg.conf' created
      gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
      gpg: keyring `/root/.gnupg/secring.gpg' created
      gpg: keyring `/root/.gnupg/pubring.gpg' created
      Please select what kind of key you want:
         (1) DSA and Elgamal (default)
         (2) DSA (sign only)
         (5) RSA (sign only)
      Your selection? 1
      DSA keypair will have 1024 bits.
      ELG-E keys may be between 1024 and 4096 bits long.
      What keysize do you want? (2048) 
      Requested keysize is 2048 bits
      Please specify how long the key should be valid.
               0 = key does not expire
            <n>  = key expires in n days
            <n>w = key expires in n weeks
            <n>m = key expires in n months
            <n>y = key expires in n years
      Key is valid for? (0) 
      Key does not expire at all
      Is this correct? (y/N) y
   
      You need a user ID to identify your key; the software constructs the user ID
      from the Real Name, Comment and Email Address in this form:
          "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
   
      Real name: ABC XYZ
      Email address: abc@redhat.com
      Comment: 
      You selected this USER-ID:
          "ABC XYZ <abc@redhat.com>"
   
      Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
      You need a Passphrase to protect your secret key.
   
      You don't want a passphrase - this is probably a *bad* idea!
      I will do it anyway.  You can change your passphrase at any time,
      using this program with the option "--edit-key".
   
      We need to generate a lot of random bytes. It is a good idea to perform
      some other action (type on the keyboard, move the mouse, utilize the
      disks) during the prime generation; this gives the random number
      generator a better chance to gain enough entropy.
      +++++++++++++++.++++++++++..++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..++++++++++.+++++++++++++++++++++++++>++++++++++>+++++............................................................................+++++
   
      Not enough random bytes available.  Please do some other work to give
      the OS a chance to collect more entropy! (Need 284 more bytes)
   
      We need to generate a lot of random bytes. It is a good idea to perform
      some other action (type on the keyboard, move the mouse, utilize the
      disks) during the prime generation; this gives the random number
      generator a better chance to gain enough entropy.
      ....+++++++++++++++++++++++++.+++++++++++++++.+++++++++++++++++++++++++..+++++++++++++++++++++++++.+++++..++++++++++.++++++++++...+++++.++++++++++++++++++++.+++++>++++++++++>+++++................>+++++.........+++++^^^
      gpg: /root/.gnupg/trustdb.gpg: trustdb created
      gpg: key 79FB4F3E marked as ultimately trusted
      public and secret key created and signed.
   
      gpg: checking the trustdb
      gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
      gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
      pub   1024D/79FB4F3E 2012-09-04
            Key fingerprint = FEF6 9A6D A42C 41CA C8C1  8B6E AAAE A88A 79FB 4F3E
      uid                  ABC XYZ <abc@redhat.com>
      sub   2048g/6E59B802 2012-09-04
   

   **Note: the gpg generate command will prompt for a password required to unlock the key. You should not enter a password as the script below to decrypt the password will not be able to automatically be able to decrypt the password for pacemaker to access the stonith credentials.

2. Put the password temporarily into a plain text file then encrypt it with gpg -e -r <user> <file>

   $ echo "the PassWord" > password-plain
   $ gpg -e -r abc password-plain
   

3. Delete the plain text version of the password and secure the encrypted version

   $ chmod 600 password-plain.gpg 
   $ rm -rf password-plain
   

4. Write a script to decrypt the password, making sure to use absolute paths to define the path to the gpg file

   $ echo "gpg --quiet -d /path/to/password-plain.gpg" > decrypt-password
   $ cat decrypt-password 
   gpg --quiet -d /path/to/password-plain.gpg
   $ chmod 700 decrypt-password
   

5. Executing above script will decrypt the password. If this script prompts you to enter a gpg password, please go back to step 1 and regenerate the gpg key without a password.

   $ sh decrypt-password 
   the PassWord
   

6. Depending on the version of the cluster.

   a. In rgmanager based clusters: Include the above script decrypt-password in cluster.conf as passwd_script="/path/to/script/decrypt-password". Please use the steps in following article How do I hide the fence device password specified in the cluster configuration file?

   b. In pacemaker based clusters: Use the pcs stonith update command as follows to update your stonith device replacing the password with the password_script.

   Clusters up to RHEL7

   # pcs stonith update <the_stonith_device> password_script=/path/to/script/decrypt-password passwd=
   

   For RHEL8 and above, the password field is named password

   # pcs stonith update <the_stonith_device> password_script=/path/to/script/decrypt-password password=
   

   NOTE: anyone with permission to run the decrypt command or access the private keys in the ~/.gnupg directory can decrypt the passwd.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.