Knowledge base
How to encrypt a disk?
Posted by on 02.09.2013 11:28

This time we'll show you how to create encrypted disk in Oktawave cloud and how to use it.

 

  1. Need to know at the beginning
  2. How to create and partition OVS Volume
  3. Partition encryption
  4. Encrypted partition - connection to the system
  5. Connection automation of encrypted partitions
  6. Transmission of information on encrypted partition

 

1. Need to know at the beginning

Before creating encrypted disks, you should consider several issues. The first of these is the management of encryption keys and their storage. One thing is certain: you should not keep your key in the cloud - it should be kept as far away from the data as possible. A good solution is to memorize decrypt phrases - recommended techniques are described here: http://drfugazi.eu.org/security/diceware.

It is also worth noting that you should change the default root password and disable the Oktawave support account. This involves some risk - if something goes wrong, no one will be able to help you configure your service, but here is the whole point, is it not?

The second issue is the encryption system. Due to the higher matenance cost of Windows instance, the difficulty in securing the system and its EFS encryption system weaknesses (unencrypted data from the original file remains on the disk after creating a new encrypted version), we'll use Linux. Here it is simple to use EncFS system that is running in user space, but it is limited in its ability - it does not protect against curious administrator with root access. That is why it is much better to use a well-integrated with the kernel dm-crypt/LUKS system that allows you to encrypt all partitions in a "transparent way" for the file system.

What encryption should you choose? By default, currently the most selected one today is AES. in Linux kernel, there are other block cipher with a high level of security, for example, Serpent, Twofish and Camellia - we suggest you become familiar with the topic and choose the best option for you. The discussion should include the period during which the encrypted data must remain secure, or simply the length of the key.

The third thing is to think about what you want to encrypt. While creating an encrypted virtual machine images, dont forget about the swap partition and specifically about the fact that me need to encrypt it, because of the role it plays in the system. Do not forget to encrypt home directory (/home/*) and the temporary directory (/tmp). Encrypting the entire disk is not possible - you have to at least have decrypted /boot partition, so it can take off.

Last issue is the instance reboots problem. If you are using an older version of Linux images from bootloaderemgrub v1 (eg Debian 6), the bootloader will try to connect automatically encrypted partition at boot. Then your instance is not able to automatically "get up": it will be waiting for the password to connect encrypted partition. So you have to edit the bootloader configuration and disable automatic mounting of LUKS file systems. After restarting the instance you log in via SSH to the virtual machine and manually connect the encrypted partition. How to do it - refer to the grub documentation.

Better yet, take advantage of the latest distribution, using bootloaderagrub v2 (eg Debian 7). This problem was fixed - the system will start without connection to an encrypted partition.

2. How to create and partition OVS Volume

We assume that you already have OCI virtual machine in Oktawave. If not, you can create it according to the instructions contained in our documentation (https://kb.oktawave.com/Knowledgebase/Article/View/65/5/how-do-i-add-instances-oci-and-how-to-manage-them). In this example we will use the Debian 7, but with minor changes all the operations described below can be performed in distributions such as Ubuntu, CentOS, OpenSUSE and Gentoo.

If you already have a running instance, let's add the disc to it. In the Oktawave panel select |SERVICES|Oktawave Volume Storage then click ADDSTORAGE button, give the name (eg. crypto_1 ), set efficiency (from Tier- 1 and Tier- 5), set the size in GB and the name of the virtual machine to which the encrypted partition is connected.

Note: Due to the overhead generated by the "data on the fly" encryption mechanism, it is wise to choose one efficiency level higher than that which you would choose for unencrypted partition.

When you click the ADD button, OVS volume will be added to the virtual machine. How do you get to it from the operating system? Log in as Administrator (root) via SSH and at the prompt, type the following.

# Dmesg |tail

You will learn in this way, the name of your device in the system - a message about connecting the /dev/sdb drive will look like this:


[ 388.402436 ] sd 2:0:2:0 : [ sdb ] Write Protectis off
[ 388.402439 ] sd 2:0:2:0 : [ sdb ] ModeSense : 61 00 0000
[ 388.402515 ] sd 2:0:2:0 : [ sdb ] Cache data unavailable
[ 388.402518 ] sd 2:0:2:0 : [ sdb ] Assumingdrive cache: WriteThrough
[ 388.403602 ] sd 2:0:2:0 : [ sdb ] Cache data unavailable
[ 388.403605 ] sd 2:0:2:0 : [ sdb ] Assumingdrive cache: WriteThrough
[ 388.407639 ] sdb : unknownpartitiontable
[ 388.407879 ] sd 2:0:2:0 : [ sdb ] Cache data unavailable
[ 388.407881 ] sd 2:0:2:0 : [ sdb ] Assumingdrive cache: WriteThrough
[ 388.407965 ] sd 2:0:2:0 : [ sdb ] Attached SCSI disk


Create a partition on the disk with the following command.

# Cfdisk /dev/sdb

In the cfdisk tool create the partition by choosing New, setting the type to Primary (Main) and type size - in our case, just select the default size, covering the whole volume of 5 GB. From the menu choose Type to select the type of file system and select from the list position 83 - indicating a Linux partition.

Finally, save your changes, choose Write, confirm all operations by typing yes and exit cfdisk selecting Quit.

This way you created /dev/sdb1 partition.



3. Partition encryption

Once you have the OVS disk connected to a virtual machine, install the packages of dm-crypt encryption, by typing the following command in a shell.

# Apt-getinstallcryptsetup

Now you need to reformat the encrypted drive.

# Cryptsetup -y luksFormat /dev/sdb1

While formatting you will be asked to give the "passphrase". Enter the string with the right level of complexity, of at least a dozen characters, including special characters ( eg, " Mary-had-lamb-bial0"). Remember it well, do not store it anywhere. If you forget it, you can not recover encrypted data from the disk.

Check now if everything went correctly.

# CryptsetupluksDump /dev/sdb1

You should get a result similar to the following message.

LUKS headerinformation for /dev/sdb1

Version : 1
Ciphername : aes
Ciphermode : cbc - essiv : sha256
Hash spec: sha1
Payload offset : 4096
MK bits : 256
MK digest : 67 33 2d 9c a3 8a 84 91 98 46 2a 0d ca d2 6c 24 70 4d 87 9c
MK salt : 83 19 e1 7a eedbcb d0 d2 c7 4f fe ba 3c 30 5f
43 44 5c 20 80 4c 95 f7 b4 10 29 ff 5b 8f c6 ab

[ ... ]

 

4. Encrypted partition - connection to the system

To be able to use an encrypted partition, you must create a mapping device, allowing it to mount in the file system. To do this, just type the following.

# CryptsetupluksOpen /dev/sdb1 krypto_part

You will be asked about the phrase that encrypts ("Mary-had..."), so enter it.

Now format the mapped partition to one of the supported Linux file systems. Here, we chose a popular ext4.

# Mkfs.ext4 - m 0 /dev/mapper/krypto_part

Now, when everything is already set up, we need to connected an encrypted partition to a Linux system.

# Mkdir /krypto1
# Mount /dev/mapper/krypto_part/krypto1

You can also check the status of the connected partition.

cryptsetup status krypto_part

If you now want to move one of the system directories on the encrypted partition (eg. /tmp), you can do the following.

# Mkdir /krypto1/tmp
# Rsync -va /tmp /krypto1/tmp
# Mv /tmp /tmp.old (later you can delete tmp.old to get more free space)
# Mount -o bind /krypto1/tmp /tmp

You should check the documentation for the application that you use on the server where they store their files. Most often they are directories, such as /tmp/application or /var/log/application.

After pairing the system folders to an encrypted partition, edit the /etc/fstab file, so that the changes remain permanent. This line will aply the link for the /tmp directory.

/krypto1/tmp /tmpnone bind 0 0



5. Connection automation of encrypted partitions

At the start of the instance in the cloud, encrypted partition will not be automatically activated. To simplify the process of connecting, you should prepare a suitable script.

#!/bin/bash
## Configuration ##
_part="/dev/sdb1"
_name="krypto_part"
_source="/dev/mapper/krypto_part"
_dest="/krypto1/"

echo
/sbin/cryptsetupluksOpen ${_part} $_name

echo
/bin/mount/ ${_source} ${_dest}

df -H

If you save it (with name such as /usr/local/sbin/mount_luks.sh) and give it execute permissions by the administrator (chmod 700 /usr/local/sbin/ mount_luks.sh), the script will allow you to connect to an encrypted partition system after reboot - just issue mount_luks.sh command.

Obviously you can do much more - such as running a web server that supports web application, where data is stored on an encrypted partition. Detailed information about running services and servers this way, can be found in the documentation.

 

6. Transmission of information on encrypted partition

Encryption is pointless, if the data will not be sent there in a safe way. You can not use plain FTP, you can use SFTP or SSH File Transfer Protocol. If you install openssh -server in your virtual machine, you have everything you need from the server side. Access from your computer, you can get by programs such as FileZilla or WinSCP, the description of which is beyond the scope of this guide. Just remember that to log in, use the username and password you are using to log on over SSH.

This is just the tip of the iceberg. To enhance access security, you should completely abandon the use of passwords and login authentication using public key cryptography. You can also set up your own private network to connect to a virtual machine. How to do this, we will show in the following guides.

(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.