IBM Cloud Bare Metal Servers satisfy requirements for many workloads that have very high CPU and I/O requirements and can be very cost-efficient if you are able to fully utilize the server. However, there cases when customer needs boot drive encryption for bare metals. Operationally, having such an encryption implies that the operating system, the root file system and the files it generates are all transparently encrypted by the underlying encryption layer. This article shows how IBM Cloud VPC block storage, a NFS virtual server in conjunction with a customized bootloader on bare metals can be used achieve that goal.
During a “normal” system boot, the initial bootloader code is read from a special “boot” partition on a disk attached to the server. This bootloader then loads the operating system kernel and an initial RAM disk image and file system (initramfs) into memory. The executables in the initial RAM file system find the root file system partition on a disk attached to the server and mount it. The system boot the proceeds by launching the operating system initialization processes on the root file system.
In his Medium post Amartey Pearson describes how to network boot an IBM Cloud Bare Metal Server using a custom image with an iPXE EFI bootloader executable that loads an iPXE script from an HTTP(s) server. We extend this method by using iPXE to load a kernel and a NFS enabled initramfs from the HTTP server. The kernel is then booted and mounts the root file system from a NFS mount exported by a NFS server running on a VSI with an attached block volume.