+ Post New Thread
Results 1 to 9 of 9
*nix Thread, Encryption of disk volumes in Technical; Hello All, Right, so with all this stuff around about computer equipment with important data on it being stolen from ...
  1. #1

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247

    Encryption of disk volumes

    Hello All,

    Right, so with all this stuff around about computer equipment with important data on it being stolen from various government offices, I figure I'd better get our data encrypted.

    Most of our servers are now virtual machines running under Xen. We install CentOS on the physical machine, then use mdadm to create a RAID volume - i.e. we wind up with a single block device (/dev/md0). We then chop that RAID volume up into logical volumes with LVM, so we get a bunch of block devices along the lines of /dev/xenLV/xxx. We then use DRBD to mirror block devices between physical machines, so we might get something like /dev/drbd1 on two machines, both backed by a logical volume on each machine. The Xen virtual machine then runs on top of the DRBD volume.

    So, we have a disk "stack" something like:

    Code:
        Machine 1               Machine 2
    
      Physical Disks          Physical Disks
            |                       |
    RAID with mdadm           RAID with mdadm
            |                       |
           LVM                    LVM
            |                       |
           DRBD - - - - - - - - - DRBD
            |
           Xen
    So, if I understand this right, I can add disk encryption by using dm-crypt on top of DRBD:

    Code:
         Machine 1               Machine 2
    
       Physical Disks          Physical Disks
            |                       |
     RAID with mdadm           RAID with mdadm
            |                       |
            LVM                    LVM
            |                       |
           DRBD - - - - - - - - - DRBD
             |
         dm-crypt
            |
           Xen
    Have I got that about right? So before I can start a virtual machine I have to start the appropriate dm-crypt device by typing a password at the command line or providing an encryption key (like an SSH key kind of thing). The dm-crypt volume will be mirrored accross to the second machine in real-time - if the first physical machine goes down I need to go and start the dm-crypt device on the second physical machine with the password or key.

    Right, so: what happens if someone walks off with a server or two? If dm-crypt uses some kind of encryption key stored on a local drive on each server, what's to stop someone simply using that key to start our servers up? Is a password secure enough - is, say, a 10-character password with words and numbers going to take a suitably long time to break, or is a 128/256/1024/2048-bit key the only thing that's going to be long enough? If a key is the only solution, where do I store the key so that encrypted volumes aren't too much palaver to start but no-one who shouldn't do can get at them?

    --
    David Hicks

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Not sure about the actual implementations as I have not played with these software packages but one thing to consider would be the performance hit. Encrypting and decrypting everything on every virtual machine is going to burn up a lot of CPU time as it must do this with the nonsensitive stuff as well like the OS.

    I would suggest implementing the encryption a couple of levels higher on only the sensitive data. This will give you the security but help to minimize the CPU toll on your servers.

    As to the keys I would use public/private keys 1024bit and have these password protected. I would then think of storing the keys on a micro USB pen drive for each of the people who are allowed to start it and one in the safe.

    You could also possibly put a copy in a secured online storage area that could be accessed in an emergency if you needed to direct someone else that did not have the key to do it over the phone.

    Just random suggestions, hope that they are helpful.

  3. Thanks to SYNACK from:

    dhicks (19th June 2008)

  4. #3
    ICT_GUY's Avatar
    Join Date
    Feb 2007
    Location
    Weymouth
    Posts
    2,276
    Thank Post
    689
    Thanked 283 Times in 204 Posts
    Rep Power
    106
    How much data is considered sensitive? Not a hell of a lot I bet, even as far as the teachers stuff goes, 99% is crud in their user areas 1% might just be considered sensitive.

    The truly sensitive stuff is on the admin network. Besides, encrypting everything is going to cause extra hassle if ever anything ever goes mammary glands up.

  5. #4

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by SYNACK View Post
    I would suggest implementing the encryption a couple of levels higher on only the sensitive data. This will give you the security but help to minimize the CPU toll on your servers.
    Thanks, excellent point that. Actually, all our VMs use three disk images - OS, data and swap space, so I guess I just need to encrypt the data disk. I'm not sure that CPU time is really such a massive problem these days - our main file server is currently running at a CPU utilisation of 1%, it's disk performance and/or network performance that holds us back.

    I would then think of storing the keys on a micro USB pen drive for each of the people who are allowed to start it and one in the safe.
    Definitely an idea, although it does mean we have to go along to the server cupboard and plug a USB stick in every time we want to start a virtual machine. Did have a thought, though: we could have a small web server sat somewhere on the network, just serving up that encryption key. To start a virtual machine we just need to get the encryption key from the web server each time - easy enough to write a script that does wget key, mount encrypted volume, rm key, start VM.

    "Small" webserver could mean PoE device small enough to be hidden in the roofspace somewhere. Ideally, it needs some kind of self-destruct mechanism so that if it's moved or taken out of the building it's useless... Hmm, have to think about that one...

    --
    David Hicks

  6. #5

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by ICT_GUY View Post
    How much data is considered sensitive? Not a hell of a lot I bet, even as far as the teachers stuff goes, 99% is crud in their user areas 1% might just be considered sensitive.
    Indeed - but it's sorting the 1% from everything else that's the problem :-) It just strikes me that a lot of the fuss made about "sensitive data" being stolen from various places could well mean a list of names and addresses in a Word file in someone's home directory.

    Besides, encrypting everything is going to cause extra hassle if ever anything ever goes mammary glands up.
    Well, yes, so I'm trying to figure out an encryption system that is robust enough to be able to handle disk crashes / power cuts / server disappearances / fires / etc.

    --
    David Hicks

  7. #6
    ICT_GUY's Avatar
    Join Date
    Feb 2007
    Location
    Weymouth
    Posts
    2,276
    Thank Post
    689
    Thanked 283 Times in 204 Posts
    Rep Power
    106
    They are going to have their work cut out for them at our school, the new rack server weighs in at 27KGs + another 2 KGS for disks and is going to be bolted to the wall and lock up in a secure area. Oh right hot swap bays might make it easier to run off with them doh!

  8. #7

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Right, so next question: anyone know if I want to get Xen to use a dm-crypt volume as a virtual disk, do I have to use a different keyword thingy in the Xen config file? So, for instance, when Xen uses a DRBD volume I write:

    disk = ['drbd:ACSFILES001,sda1,w']

    or for a standard LVM volume, Xen knows that it's a "physical" volume:

    disk = ['phy:xenVG/ACSFILES001SWAP,sda3,2']

    For a dm-crypt volume do I have to use ['dm-crypt:xxx'] or something, or will "phy" do?

    --
    David Hicks

  9. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Just something to consider, apparently:
    Loop-AES is more secure than dm-crypt (and possibly faster), although it requires a custom kernel module and is more work to install than dm-crypt
    Loop-AES riseup labs

    Edit: Ignore that there is a reason everyone used dm-crypt:
    Loop-AES used to be the only secure option for encrypting linux filesystems, it is also the most stable and mature, and possibly the fastest. All in all, it ought to be the leader of the pack, except for one thing: Through politics and in-fighting the Loop-AES developers have alienated the Linux kernel team, including Linus himself. As a result loop-AES is not supported by the mainline Linux kernel, nor is it supported by the Fedora Core 5 package manager. If you want to run Loop-AES you have to install custom versions of mount, losetup, and the loop.ko kernel module.
    http://www.shimari.com/dm-crypt-on-raid/#why_dmcrypt
    Last edited by SYNACK; 19th June 2008 at 09:25 PM.

  10. #9

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by SYNACK View Post
    Ignore that there is a reason everyone used dm-crypt:
    I had enough trouble getting DRBD to work alongside Xen - using the CentOS package manager to install one clobbers the kernel needed for the other. In the end I wound up installing DRBD on a separate server and copying the relevant kernel module accross. The idea of recompiling kernels makes me come over all shivery.

    --
    David Hicks



SHARE:
+ Post New Thread

Similar Threads

  1. Powerpoint encryption
    By roty80 in forum Educational Software
    Replies: 0
    Last Post: 6th May 2008, 12:53 PM
  2. USB flash drives with encryption
    By Jobos in forum Hardware
    Replies: 5
    Last Post: 2nd May 2008, 10:46 AM
  3. Data encryption for servers
    By link470 in forum Windows
    Replies: 7
    Last Post: 6th February 2008, 06:48 PM
  4. RM Disk to Disk to Tape Backup Solution
    By Chris in forum General Chat
    Replies: 0
    Last Post: 2nd July 2007, 11:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •