Disk Encryption

Goal

Securing "Data at Rest": Protecting information stored on disk when it's not "in use".

Problems Addressed

1.   Laptops in "steal me" cases

2.   USB thumb drives left in parking garages

3.   personal financial information only used once a month

4.   Sensitive data archives

Problems Not Addressed

1.   Data being actively read or written by an application.

Relies on trusted computer architecture (permissions, SELinux ...)

2.   Data in motion over a network

Relies on TLS...

3.   Keyboard Sniffers

Relies on physical security...

Two Fundamental Approaches supported in RHEL

1.   dm-crypt: Block Layer Encryption

·         Encrypts an entire volume

·         Implemented via device mapper

·         Presents a virtual plaintext block device backed by a ciphertext block device

2.   eCryptfs: File System Encryption

·         Encrypts individual files

·         Implemented as a layered file system

·         Presents a plaintext file

Block Device Encryption with dm-crypt and LUKS

Block Device Encryption dm-crypt / LUKS

·         Introduced in RHEL 5

·         Requires cryptsetup-luks

·         dm-crypt provides the capability

·         LUKS defines the key management and on disk format

Scenario: Protecting a User Laptop

·        Encrypt /home partition (/dev/sda3)

·        Leave installed OS unencrypted

Demonstration

1. Initialize device with random data: cat /dev/urandom

[root@station ~]# cat /dev/urandom > /dev/sda5

cat: write error: No space left on device

2. Format LUKS encryption layer: cryptsetup luksFormat

[root@station ~]# cryptsetup luksFormat /dev/sda5

WARNING!

========

This will overwrite data on /dev/sda5 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase: boltindia

Verify passphrase: boltindia

3. Open LUKS encryption layer: cryptsetup

[root@station ~]# cryptsetup luksOpen /dev/sda5 home_plaintext

Enter passphrase for /dev/sda5: shazbot

# for the curious

[root@station ~]# ls -l /dev/mapper/

total 0

crw-rw----. 1 root root 10, 58 May 4 12:12 control

lrwxrwxrwx. 1 root root 7 May 4 12:40 home_plaintext -> ../dm-0

# for the more curious

[root@station ~]# dmsetup table

home_plaintext: 0 1044480 crypt aes-cbc-essiv:sha256 000...000 0 252:5 4096

4. Format the filesystem: mkfs

[root@station ~]# mkfs.ext4 /dev/mapper/home_plaintext

mke2fs 1.41.12 (17-May-2010)

...

This filesystem will be automatically checked every 36 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

5. Mount the filesystem: mount

[root@station ~]# grep home /etc/fstab

/dev/mapper/home_paintext /home ext4 defaults 0 0

[root@station ~]# mount -a

[root@station ~]# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/sda2 4.0G 1.4G 2.4G 37% /

tmpfs 246M 0 246M 0% /dev/shm

/dev/sda1 248M 30M 206M 13% /boot

/dev/mapper/home_plaintext

494M 11M 459M 3% /home

6. Register the encrypted drive: /etc/crypttab

[root@station ~]# vi /etc/crypttab

                       

      home_plaintext            /dev/vda5

                         ESC

                         wq

[root@station ~]# grep home /etc/crypttab

home_plaintext /dev/vda5

[root@station ~]# man crypttab

7. Reboot and confirm.