Getting Started

Assumption

To ensure that Secure HPC can protect your sensitive data, we start by trusting two main systems:

  1. The HPC System’s Image Server: We assume that the image server, which is part of the HPC system, is secure. It is located in a highly secure area of the HPC system, protected by multiple layers of security, and is only accessible by a few essential services and administrators. This secure location helps us trust that the image server is safe from unauthorized access.
  2. The User’s Personal System (Secure Client): We also assume that your personal system, such as a laptop or workstation, is secure. This is crucial because your data begins its journey on your local system before being sent to Secure HPC.
Warning

It is important to understand that the secure client should be highly trusted by you. If your local system is not secure, your data could be compromised before it even reaches the secure workflow of Secure HPC. This is why we emphasize the term secure client—it signifies that your local system must be safeguarded with utmost care to ensure the overall security of your data.

These assumptions are essential because they ensure that the entire process, from start to finish, is secure. Trust in the system comes from knowing that both the initial and final stages of the process are protected.

Requirements

Minimum Hardware Requirements

  • Processor: 4-core CPU (Intel/AMD)
  • Memory: 8 GB RAM
  • Storage: 100 GB available disk space
  • Network: Internet connection

User Requirements

  • Secure Node from the Admin:

  • Access to HPC System: Access to the HPC system is required. If you don’t have an account, please refer to our page getting an account

  • Initial experience with job Submission with Slurm: Users should be familiar with job submission processes and using the Slurm workload manager. Please refer to our Slurm documentation for more details.

  • Access to our HashiCorp Vault server: this requirement is fulfilled when you already got in touch with us and we provided you with a token. The token has to be placed in a specific directory named secret. See Installation of required Softwares step in Installation Guidelines.

Preparation of the secure client

Access request to the cluster and KMS server

  • HPC System Access: Ensure that you have an account and the necessary permissions to access the HPC system.
  • Vault Access: Request access to the Vault (Key Management System) for managing encryption keys.

Installation Guidelines

  1. Installation of required Softwares:

    • Git: Version control system for managing code. For installation instructions, visit the Git installation guide.

    • Apptainer (formerly Singularity): Container platform for running applications in isolated environments. For installation instructions, visit the Apptainer installation guide.

    • Hashicorp Vault: Follow the instructions from the official website

    • Cryptsetup: Installation

      • On Debian based OS (Ubuntu, Mint, etc):

        sudo apt-get update
sudo apt-get install cryptsetup

      • On RHEL based OS (Rocky Linux, Fedora, etc)

        sudo dnf update
sudo dnf install cryptsetup

    • GPG is available by default on every Linux based OS

  2. In your home directory, create a folder with a name of your choice. For this example, we are going to use the name client_assets:

    mkdir client_assets

  3. Create a new directory in client_assets called secret:

    cd ~/client_assets
mkdir secret

    This is where all the keys, and Vault tokens are going to be stored.

    Next copy the <local_uid>.token you received in it

    Tip

    Follow these steps if you want to verify that your token is valid:

    1. Set the Vault Server Address: export VAULT_ADDR='https://kms.hpc.gwdg.de:443'

    2. Set the token: export VAULT_TOKEN=$(cat secret/<local_uid>.token)

    3. Check Token Lookup: vault token lookup

      • If the token is valid, you will see output with details about the token (like its policies, expiration, etc.).

      • If the token is invalid, you’ll see an error message. Report it to the administrator to fix it.

  4. For the bash signature, contact the administrator to get a private key, and save it in the secret directory.

  5. Clone the Secure HPC Git Repository: Open a terminal and clone the secure HPC git repo on secure client home directory with the following command:

    git clone https://github.com/gwdg/secure-hpc.git

  6. In the home directory, you will find the git repository secure-hpc.

    1. cd secure-hpc/client

    2. ./replace_placeholders.sh <local_uid> <containername> <apptainer_container> <hpc_uid> <client_dir>

      where:

      <local_uid>: The local user ID on the secure client. <containername>: Name of the data container. <apptainer_container>: Apptainer container name <hpc_uid>: User ID on the HPC system. <client_dir>: Directory where client tools and scripts will be prepared.

      This command replaces placeholders with template files with the provided arguments, copies all other files and directories from secure-hpc/client directory to a tools directory in the created directory from the step 2.

Step-by-Step Instructions for Installing Secure HPC:

  1. Configure Secure HPC:

    • Generate GPG Key Pair:

      Copy code
gpg --full-generate-key

      Follow the prompts to create your key pair.

    • Upload Public Key to Vault: Use the instructions provided by your HPC administrator to upload your public key to Vault.

Configuration Settings:

  • Encryption Configuration: Configure LUKS containers and Singularity/Apptainer containers as per the Secure HPC guidelines.
  • Vault Configuration: Ensure the Vault is properly configured for key management. Follow the instructions provided by your HPC administrator.