2.2.6.2. mijin Catapult(v.2) encryption of node storage

This chapter describes the storage encryption used on the nodes of mijin Catapult(v.2) on AWS.

At the time of deployment, the EBS volumes mounted by each node are not encrypted.
To make it more secure, blockchain data and Mongo data can be encrypted.
This section describes the procedure for encrypting the EBS volume that contains mijin Catapult(v.2) using PEER node 3 as an example.
creation-day:

Aug. 1, 2022

update date:

September 9, 2022

2.2.6.2.1. Flow of encrypting a node’s blockchain data

  1. Create KMS Key

  2. Stop one of the nodes. (In the production version, availability is maintained even if one node is stopped.)

  3. Obtain a snapshot of a stopped node

  4. Create an encrypted snapshot by copying the snapshot created in 3.

  5. Create a volume from the encrypted snapshot created in step 4.

  6. Detach the volume of blockchain data on the PEER node stopped in 2.

  7. Attach the volume created in step 5 to the PEER node stopped in step 2

  8. Start the PEER node stopped in 2.

Note

The same process is followed on the API node, but in the case of the API node, the mongo data is also mounted, so the two volumes can be encrypted.

2.2.6.2.2. Create KMS Key

To encrypt storage, use KMS to create encryption keys.
To learn more about key creation with KMS, please refer to the following
https://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/create-keys.html

From Services, click Security, Identity, & Compliance, then Key Management Service.

 ../../_images/aws_ebs1.en.png

Click on a ‘Customer managed keys’ and click on ‘Create Key’.

 ../../_images/aws_ebs2.en.png

Set any name for the alias and click ‘Next’.

 ../../_images/aws_ebs3.en.png

Specify a key name (alias) and click ‘Next’.

 ../../_images/aws_ebs4.en.png

Select your own account as the key administrator and click ‘Next’. (In this case, specify the account you are currently logged in to)

 ../../_images/aws_ebs5.en.png

Select the account for which you want to use the key and click ‘Next’. (In this case, specify the account you are currently logged in to)

 ../../_images/aws_ebs6.en.png

Confirm the values and click ‘Finish’.

 ../../_images/aws_ebs7.en.png

2.2.6.2.3. Stop one of the nodes

Stopping one PEER or API node will not stop the mijin Catapult(v.2) blockchain network.
Here, we stop at PEER node 3 as an example.

Log in to PEER node 3.

. /aws_tips_ssm_login and log in to the node.
mijin Catapult(v.2) and stop the EC2 instance.
sudo su - catapult
cd mijin-catapult-package/package/peer/catapult/
docker-compose down
docker-compose ps
exit
sudo shutdown -h now
../../_images/aws_ebs8.png

2.2.6.2.4. Obtain a snapshot of a stopped node

To create an encrypted volume, you must first create a snapshot of the target volume.
Select the stopped PEER node 3, click the Storage tab, and click the target volumeId.
Here, the volumeId and device name (/dev/sdf) should be noted.
 ../../_images/aws_ebs9.en.png

Click the check box for the target volume and click ‘Create snapshot’.

 ../../_images/aws_ebs10.en.png

We will now check which availability zone this volume belongs to.

 ../../_images/aws_ebs10_2.en.png

Provide a name in the description that is easy to understand when searching, and click ‘Create snapshot’.

 ../../_images/aws_ebs11.en.png

2.2.6.2.5. Create an encrypted snapshot by copying the created snapshot

To create encrypted volumes from encrypted snapshots, encryption is performed when the snapshots are copied.
Click Snapshot in the menu, check the snapshot you created, and click ‘Copy snapshot’.
 ../../_images/aws_ebs12.en.png
For the destination region, select the same region as the node from which the snapshot was taken.
Check the ‘Encrypt this snapshot’ and specify the KMS created.
Click on ‘Copy Snapshot.’
 ../../_images/aws_ebs13.en.png
Make sure the snapshot has been completed.
 ../../_images/aws_ebs14.en.png

2.2.6.2.6. Create a volume from an encrypted snapshot

Create encrypted volumes from encrypted snapshots.
At this point, a volume is created that has not yet been mounted.
Click on the encrypted snapshot and click ‘Create volume from snapshot’.
 ../../_images/aws_ebs15.en.png
Select the availability zone as the same availability zone as the node from which the snapshot was taken.
Select the KMS key you created.
Click on ‘Create volume.’
 ../../_images/aws_ebs16.en.png

Note

Note that if you select a different availability zone than the node here, the volume will not appear when attached to the node.
Check Obtain a snapshot of a stopped node for availability zone confirmation of the node.
If you would like to understand availability zones, please refer to the following
https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones

2.2.6.2.7. Detach the volume of blockchain data on the stopped PEER node

Remove any unencrypted volumes attached to the node.
Select the volume from PEER node 3 again.
 ../../_images/aws_ebs17.en.png
From Volume, click on ‘Detach volume’ and press OK on the screen that pops up.
 ../../_images/aws_ebs18.en.png

2.2.6.2.8. Attach encrypted volume to PEER node

Attach the encrypted volume to the node
Select the encrypted volume and click ‘Attach volume’.
 ../../_images/aws_ebs19.en.png
Select instance as PEER node 3 and specify the device name you have noted down as the same path as the volume before encryption.
Click on ‘Attach volume.’
 ../../_images/aws_ebs20.en.png
Verify that the encrypted volume is attached.
 ../../_images/aws_ebs21.en.png

Note

The device name must be the name of the device noted in Obtain a snapshot of a stopped node.

2.2.6.2.9. Start up a stopped PEER node

Start up the stopped node and start up mijin Catapult(v.2) as well.
From the list of instances, check PEER node 3 and click ‘Start Instance’.
 ../../_images/aws_ebs22.en.png

Log in to PEER node 3.

. /aws_tips_ssm_login and log in to the node.
Make sure the disk is mounted, and start up mijin Catapult(v.2).
df -h
sudo su - catapult
cd mijin-catapult-package/package/peer/catapult/
docker-compose up -d
docker-compose ps
../../_images/aws_ebs23.png