Disk Encryption in XenServer

Encrypting local disks (not system), the task turned out to be quite simple.
1. Choose a partition for future encrypted storage.
fdisk -l
On a clean install on a single-disk system, this will be / dev / sda3. For example, I will use it.
approx. XenServer uses GPT instead of MBR, so the fdisk listing may contain error information. Edit partitions are better than gdisk, partx or parted.
2. Check out what we already have storage. If our target partition is already in use, you will have to delete the corresponding local storage.
Get SR-UUID repository
xe sr-list
Before removing the repository, you will have to remove the PBD.
xe sr-param-list uuid=<SR-UUID> | grep PBD
Turn off and remove PBD first, and then SR.
xe pbd-unplug uuid=<PBD-UUID>
xe pbd-destroy uuid=<PBD-UUID>
xe sr-destroy uuid= <SR-UUID>
xe sr-forget uuid=<SR-UUID>
3. Create an encrypted partition.
cryptsetup -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/sda3
Enter the password for the section and YES to confirm our intentions.
4. We connect our section
$ cryptsetup luksOpen /dev/sda3 fs_point
fs_point is the name under which the section will be available in the system, choose at your discretion.
The encrypted partition will be available on the system as / dev / mapper / fs_point.
5. We connect the encrypted partition as local storage
Get the UUID
xe host-list
And connect the SR
xe sr-create content-type=user device-config:device=/dev/mapper/fs_point host-uuid=$host_uuid name-label="Local Storage - Encrypted" shared=false type=lvm
6. After rebooting the server, you will have to manually decrypt the partition and connect sr.
Decryption section cryptsetup luksOpen /dev/sda3 fs_point
Connecting sr xe pbd-plug uuid=uuid ( xencenter xe sr-list)
It is convenient to make a script for these two commands.