Disk Encryption


Goal

Securing "Data at Rest": Protecting information stored on disk when it's not "in use".


Problems Addressed

1.   Laptops in "steal me" cases
2.   USB thumb drives left in parking garages
3.   personal financial information only used once a month
4.   Sensitive data archives


Problems Not Addressed

1.   Data being actively read or written by an application.
Relies on trusted computer architecture (permissions, SELinux ...)

2.   Data in motion over a network
Relies on TLS...

3.   Keyboard Sniffers
Relies on physical security...


Two Fundamental Approaches supported in RHEL

1.   dm-crypt: Block Layer Encryption

·         Encrypts an entire volume
·         Implemented via device mapper
·         Presents a virtual plaintext block device backed by a ciphertext block device

2.   eCryptfs: File System Encryption

·         Encrypts individual files
·         Implemented as a layered file system
·         Presents a plaintext file

Block Device Encryption with dm-crypt and LUKS

Block Device Encryption dm-crypt / LUKS

·         Introduced in RHEL 5
·         Requires cryptsetup-luks
·         dm-crypt provides the capability
·         LUKS defines the key management and on disk format



Scenario: Protecting a User Laptop

·        Encrypt /home partition (/dev/sda3)
·        Leave installed OS unencrypted


Demonstration

1. Initialize device with random data: cat /dev/urandom

[root@station ~]# cat /dev/urandom > /dev/sda5
cat: write error: No space left on device

2. Format LUKS encryption layer: cryptsetup luksFormat

[root@station ~]# cryptsetup luksFormat /dev/sda5
WARNING!
========
This will overwrite data on /dev/sda5 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: boltindia
Verify passphrase: boltindia

3. Open LUKS encryption layer: cryptsetup

[root@station ~]# cryptsetup luksOpen /dev/sda5 home_plaintext
Enter passphrase for /dev/sda5: shazbot
# for the curious
[root@station ~]# ls -l /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 May 4 12:12 control
lrwxrwxrwx. 1 root root 7 May 4 12:40 home_plaintext -> ../dm-0
# for the more curious
[root@station ~]# dmsetup table
home_plaintext: 0 1044480 crypt aes-cbc-essiv:sha256 000...000 0 252:5 4096

4. Format the filesystem: mkfs

[root@station ~]# mkfs.ext4 /dev/mapper/home_plaintext
mke2fs 1.41.12 (17-May-2010)
...
This filesystem will be automatically checked every 36 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.





5. Mount the filesystem: mount

[root@station ~]# grep home /etc/fstab
/dev/mapper/home_paintext /home ext4 defaults 0 0
[root@station ~]# mount -a
[root@station ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 4.0G 1.4G 2.4G 37% /
tmpfs 246M 0 246M 0% /dev/shm
/dev/sda1 248M 30M 206M 13% /boot
/dev/mapper/home_plaintext
494M 11M 459M 3% /home

6. Register the encrypted drive: /etc/crypttab

[root@station ~]# vi /etc/crypttab
                       
      home_plaintext            /dev/vda5
                         ESC
                         wq

[root@station ~]# grep home /etc/crypttab
home_plaintext /dev/vda5

[root@station ~]# man crypttab

7. Reboot and confirm.

No comments:

Post a Comment