## Initial setup to be executed on boot
# Create an empty file. This file will be used to host the file system.
# In this example we create a <disk-size> (for example: 60G) file at <path-to-encrypted-file> (for example: /home/tigergraph/gstore_enc).
dd of=<path-to-encrypted-file> bs=<disk-size> count=0 seek=1
# Lock down normal access to the file.
chmod 600 <path-to-encrypted-file>
# Associate a loopback device with the file.
losetup /dev/loop0 <path-to-encrypted-file>
#Copy encrypted password file from S3. The password is used to configure LUKE later on.
aws s3 cp s3://<your-bucket-name>/LuksInternalStorageKey .
# Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
LuksClearTextKey=$(aws --region <your-region> kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
# Encrypt storage in the device. cryptsetup will use the Linux
# device mapper to create, in this case, /dev/mapper/tigergraph_gstore.
# Initialize the volume and set an initial key.
echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/loop0
# Open the partition, and create a mapping to /dev/mapper/tigergraph_gstore.
echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/loop0 tigergraph_gstore
# Clear the LuksClearTextKey variable because we don't need it anymore.
# Create a file system and verify its status.
mke2fs -j -O dir_index /dev/mapper/tigergraph_gstore
# Mount the new file system to /mnt/secretfs.
mount /dev/mapper/tigergraph_gstore /mnt/secretfs
# Change the permission so that only tigergraph has access to the file system
chmod -R 700 /mnt/secretfs
chown -R $db_user:$db_user /mnt/secretfs
# Run the one-command installation script with TigerGraphh root path under /mnt/secretfs