Can pacemaker store encrypted sensitive information?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux Server 7, 8, and 9 (with the High Availability Add On)
  • iDrac, iLo

Issue

  • The ask is that the password be encrypted and held inside the cluster configuration for use. We don't want to have to do something outside of cluster to have encrypted passwords for fence agents. We are not looking for a password-less use case.

Resolution

There is no way encrypt and decrypt sensitive data that used pacemaker within the /var/lib/pacemaker/cib/cib.xml. There is a way to store sensitive data outside of the cib file in RHEL 8.3, but that data is stored in plain text: Is there a way to store secrets in pacemaker?

Red Hat Enterprise Linux 7

  • The issue is being tracked with bugzilla 1584431: Bug 1584431 - [RFE] ilo/idrac/vmware fence agents that do not require a password in a file (RHEL 7 alt-7.6.0). As of Wed, November 11 2020, the status of bugzilla 1584431 is CLOSED. This bug has been closed because the problem described is an issue that will not be fixed. An explanation of why this resolution is set to WONTFIX should be in the bugzilla and if you cannot access the bug or you want further information contact Red Hat support.

Root Cause

The issue we're having is that the cluster must have the username and password of the devices we use for fencing. We can store them on encrypted on disk and use a program to decrypt them, but it would also be possible for a root user to decrypt the passwords. They can use a password script for decryption using the passwd-script option, but the keys for decryption will need to be made available to that script (and a user with root could potentially get the same access). Unfortunately there isn't any way around this.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.