Encrypting Volume attached to Virtual Machine
Introduction
Encrypting block storage volumes in a public cloud environment is a critical security measure that offers several benefits. First and foremost, it ensures the confidentiality of the data stored on these volumes. By using encryption, data is transformed into a secure format that can only be read or decrypted by someone who has the corresponding decryption key or passphrase.
Moreover, encryption helps maintain compliance with various regulatory and legal requirements. Many industries are governed by strict data protection regulations, which mandate the use of encryption to protect personal and sensitive data. By encrypting block storage volumes in the cloud, organizations can demonstrate their commitment to following best practices and adhering to these legal requirements, thereby avoiding potential fines and reputational damage.
Tools that we use
- Cryptsetup
- LUKS
LUKS, which stands for Linux Unified Key Setup, is a standard for disk encryption that offers a platform-independent solution for protecting data at rest. It is designed to handle the complexities of cryptographic operations and key management while providing a user-friendly interface. LUKS encrypts entire block devices and is commonly used to secure partitions, external drives, and other forms of storage on Linux systems.
Cryptsetup is a command-line utility that serves as the primary tool for setting up and managing encryption on Linux using LUKS. It provides a straightforward interface for operations such as creating encrypted volumes, opening and closing these volumes (i.e., mounting and unmounting), and changing passphrases or keys. Cryptsetup functions as an interface between the user and the Linux kernel's device-mapper subsystem, which facilitates the actual encryption and decryption of data.
The combination of LUKS and Cryptsetup provides a powerful and widely adopted method for securing data on Linux systems. Through Cryptsetup, users can easily implement industry-standard encryption methodologies, leverage advanced key management features, and ensure their data remains private and secure against unauthorized access. This makes LUKS with Cryptsetup an ideal solution for both individual users and organizations seeking reliable disk encryption tools.
Procedure
Preparation of VM and storage volume
- Create new instance according to document:
How to create new Linux VM in OpenStack Dashboard Horizon on CREODIAS - Connect this virtual machine via SSH according to document:
How to connect to your virtual machine via SSH in Linux on CREODIAS - Create new volume and attach it to instance created according to steps 1 and 2 of the following document.
Please finish with step 3 modified with one detail:
When you create partition before writing with ```"w"``` command. Still in gdisk execute ```"c"``` command and give to partition 1 name "storage". The later procedure will be different.
How to attach a volume to VM more than 2TB on Linux on CREODIAS
Preparation of encrypted partition
The entire process would be easier to perform from a root shell.
To access it, execute the command: sudo su -
Install the necessary packages:
apt-get install cryptsetup gdisk
Create an encryption key file with random data and set safe attributes:
dd if=/dev/random bs=1 count=64 | base64 > /root/.disk_pass
chmod og-rwx /root/.disk_pass
Remember to copy this file to your local computer with the scp command and save it with a secure tool such as a password manager.
Activate encryption on partition /dev/sdb1:
cryptsetup luksFormat /dev/sdb1 --key-file /root/.disk_pass
Get the UUID of the encrypted partition.
DISK_UUID=`blkid | grep "TYPE=\"crypto_LUKS\" PARTLABEL=\"storage\"" | awk '{ print $2}' | awk -F '"' '{ print $2}'`
Encrypted volumes defined in the "crypttab" file may be automatically managed by the cryptsetup systemd service. However, remember that they are not auto-discovered. You have to activate it by such a set of commands:
systemctl daemon-reload
update-initramfs -u
systemctl start systemd-cryptsetup@storage.service
The activated service should open the encrypted partition and create a pseudo device for accessing data. To see this, execute the command:
lsblk
And you will such lines in output for /dev/sdb:
sdb 8:16 0 4G 0 disk
└─sdb1 8:17 0 4G 0 part
└─storage 253:0 0 4G 0 crypt
Configuring and mounting encrypted partition
Now you create a filesystem.
Please notice that convention is that cryptsetup maps it with a symbolink link "/dev/mapper/storage" pointing to "/dev/dm-0"
mkfs.ext4 /dev/mapper/storage
Prepare the mounting point
mkdir /mnt/storage
chown eouser:eouser /mnt/storage
Now please add an entry to the fstab file to have the filesystem mounted during boot:
echo "/dev/mapper/storage /mnt/storage ext4 defaults 0 1" >> /etc/fstab
Mount the encrypted partition:
Give default eouser rights for data:
chown eouser:eouser /mnt/storage
You probably noticed that when we mount, there is a need to provide a secret because we use a fixed key file.
SECURITY NOTE
Storing an encryption key on the instance filesystem may be considered as not safe, but it is enough to show the encryption process.
If the above solution with a locally stored key looks unsafe, it may be improved by getting the key from some vault service or, as in the next point, we may provide the passphrase manually during each mount.
Using a manually provided passphrase
Modify two points in the procedure above:
Activate encryption on partition /dev/sdb1.
You will be prompted twice to provide passphrase.
cryptsetup luksFormat /dev/sdb1
SECURITY NOTE
This passphrase has to be strong password saved in reliable password manager.
If you loose it, the data would be lost.
If will be captured, you loose your confidential data.
Open the encrypted partition.
This time and any other time when opening the encrypted partition by starting the cryptsetup service, you will have to provide this passphrase.
Starting the cryptsetup service:
systemctl start systemd-cryptsetup@storage.service
Summary
Those are the basics for volume encryption. Starting from this point, you may do research and improve the procedure with things like:
- Improving security using keys saved on other volumes or received from some digital vault.
- Automating the entire process to be able to provision infrastructure with encrypted volumes.
Author: Mateusz Ślaski, Sales Support Engineer, CloudFerro