From 42e5038b57aca6001da5d97afc3c7f2027d4a975 Mon Sep 17 00:00:00 2001
From: Juanita Balaraj <juanita.balaraj@windriver.com>
Date: Mon, 15 Apr 2024 19:46:23 +0000
Subject: [PATCH] Added Partial Disk (Transparent) Encryption Support via
 Software Encryption (LUKS) (r9, dsr8MR3)

Added rest file for partner only updates
Added abbrev for LUKS
Added Note in the backup chapter

Change-Id: I2324655947a03b8cbe93bb4bbd130b05e9dd40a6
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
---
 ...l-disk-encryption-support-37cf9e2651db.rest |  6 ++++++
 .../backing-up-starlingx-system-data.rst       |  6 +++++-
 .../index-security-kub-81153c1254c3.rst        |  9 +++++++++
 ...n-support-via-software-enc-27a570f3142c.rst | 18 ++++++++++++++++++
 doc/source/shared/abbrevs.txt                  |  1 +
 5 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest
 create mode 100644 doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst

diff --git a/doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest b/doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest
new file mode 100644
index 000000000..1c86fbe24
--- /dev/null
+++ b/doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest
@@ -0,0 +1,6 @@
+
+.. begin-partial-disk-encrypt
+
+.. end-partial-disk-encrypt
+
+
diff --git a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
index 3888227ee..c81cc5cac 100644
--- a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
+++ b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
@@ -18,6 +18,10 @@ using DCManager CLI
 <backup-a-subcloud-group-of-subclouds-using-dcmanager-cli-f12020a8fc42>` for
 how to remotely backup a subcloud from the System Controller.
 
+.. note::
+
+    Backup archives should be stored in a secured (offsite) location.
+
 .. contents:: |minitoc|
    :local:
    :depth: 1
@@ -206,7 +210,7 @@ Recommended Backup and Retention Policies
   .. warning::
 
       Using the ``-e ignore_health=true`` option should be avoided unless
-      it is required. Restoring an unhealthy backup will result in system issues. 
+      it is required. Restoring an unhealthy backup will result in system issues.
 
 - All backups are done during off-peak hours (i.e. maintenance window).
 
diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
index 323df057c..df7dd822e 100644
--- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
+++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
@@ -162,6 +162,15 @@ Encrypt Kubernetes Secret Data at Rest
    encrypt-kubernetes-secret-data-at-rest
 
 
+****************************************************************************
+Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS)
+****************************************************************************
+
+.. toctree::
+   :maxdepth: 1
+
+   partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c
+
 *********************
 Linux Auditing System
 *********************
diff --git a/doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst b/doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst
new file mode 100644
index 000000000..da205ad01
--- /dev/null
+++ b/doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst
@@ -0,0 +1,18 @@
+.. _partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c:
+
+============================================================================
+Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS)
+============================================================================
+
+.. rubric:: |context|
+
+A new encrypted filesystem using Linux Unified Key Setup (LUKS) is created
+automatically on all hosts to store security-sensitive files. This is mounted
+at '/var/luks/stx/luks_fs' and the files kept in '/var/luks/stx/luks_fs/controller'
+directory are replicated between the controllers.
+
+.. only:: partner
+
+    .. include:: /_includes/partial-disk-encryption-support-37cf9e2651db.rest
+       :start-after: begin-partial-disk-encrypt
+       :end-before: end-partial-disk-encrypt
diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt
index ff10cee2b..a310e2718 100755
--- a/doc/source/shared/abbrevs.txt
+++ b/doc/source/shared/abbrevs.txt
@@ -89,6 +89,7 @@
 .. |LDPC| replace:: :abbr:`LDPC (Low-Density Parity Check)`
 .. |LLDP| replace:: :abbr:`LLDP (Link Layer Discovery Protocol)`
 .. |LSM| replace:: :abbr:`LSM (Linux Security Modules)`
+.. |LUKS| replace:: :abbr:`LUKS (Linux Unified Key Setup)`
 .. |LVG| replace:: :abbr:`LVG (Local Volume Groups)`
 .. |MAC| replace:: :abbr:`MAC (Media Access Control)`
 .. |MEC| replace:: :abbr:`MEC (Multi-access Edge Computing)`