Encrypting the file system above the hypervisor is a way to secure data at rest and to provide assurance that others can't access the data. This article demonstrates some technologies and applications you can use to encrypt data inside guest images on SmartCloud Enterprise. It shows how to encrypt a storage unit (persistent storage) and how to encrypt the home directory. This article steps you through these scenarios:
- Encrypt a storage unit on Linux using dm-crypt. dm-crypt is a transparent disk encryption subsystem in the Linux kernel. It is a device mapper that provides transparent encryption of block devices. A filesystem can be used on top of dm-crypt transparently, and even raw data types can use it.
- Encrypt a storage unit on Windows® Server using the Windows Encrypting File System (EFS). Windows EFS can encrypt data transparently per file, per directory, or per-drive. As such it is also applicable to persistent storage and as an encryption technology to encrypt data inside directories in a windows image.
- Encrypt a home directory on Linux using Enterprise Cryptographic Filesystem (eCryptfs). eCryptfs works on top of the filesystem, which allows you to encrypt data specifically in your home directory. This is an added benefit since SmartCloud Enterprise doesn't have a facility to encrypt the boot volume. Encrypting a home directory allows some reasonable security to cover that gap.
Before you begin, note that with most encryption technologies, if you lose your encryption key and encryption is enabled, the data is essentially lost. Please be careful.
Encrypt a storage unit
Let's start with storage unit encryption. On both Linux and Windows, the basic steps to set up storage-unit encryption include:
- Install file system encryption tools.
- Prepare the target storage unit.
- Encrypt the storage unit.
- Format the new file system on the encrypted storage unit.
- Mount the encrypted file system for usage.
Encrypt a storage unit using dm-crypt on Red Hat and SUSE
Let's walk through the steps to encrypt a persistent storage unit attached to a Linux virtual machine running on SmartCloud Enterprise. dm-crypt supports all Linux supported file systems, including RAW types, with the exception of network file systems. A list of supported ciphers for dm-crypt is located under /proc/ciphers. Advanced Encryption Standard (AES) is preferred.
The steps are the same on both Red Hat Enterprise Linux and SUSE Linux Enterprise Server. Storage units are attached during instance provisioning on the SmartCloud Enterprise console. The default mount point is /data.
- Most of the commands require root privileges, so launch a root shell.
$ sudo sh
- Install the dm-crypt utilities. This should be a part of the basic image already.
$ sudo sh $ yum install cryptsetup cryptsetup-luks
- You need to know the name of the storage unit you want to encrypt. Find it by checking your /etc/fstab file for the partition mounted at /data or at the custom mount point you specified at instance creation. In our example, the name of the storage unit is /dev/vdc1.
$ cat /etc/fstab /dev/vdc1 /data ext3 defaults 0 0
- Prepare the attached storage unit for encryption. We recommend that you perform a
secure erase of the drive before you encrypting, and then you must unmount the storage
unit. Note that this method of secure delete won't be compliant in many high privacy
organizations; you should consider alternate methods before the storage device is used.
$ cat /dev/urandom > /dev/vdc1 $ umount /data $ chmod 000 /data
- Initialize the Linux Unified Key Setup (LUKS) formatting on the storage device using
cryptsetupcommand provided by the ecryptfs package. You are prompted to enter a passphrase that you must remember. Note that a LUKs format will destroy all data on the target.
$ /sbin/cryptsetup luksFormat /dev/vdc1 WARNING! ======== This will overwrite data on /dev/vdc1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
- Use the
cryptsetupcommand to open the encrypted storage device. The first argument after
luksOpenis the name of the encrypted storage unit. The second argument is the name you want to assign the opened device. You are prompted to enter the passphrase you specified in step 4.
$ /sbin/cryptsetup luksOpen /dev/vdc1 crypt-vdc1 Enter LUKS passphrase for /dev/vdc1: key slot 0 unlocked. Command successful.
- Format the file system to make it usable. You need to reference the name you specified in step 5.
$ /sbin/mkfs.ext3 /dev/mapper/crypt-vdc1
- Mount your newly encrypted storage unit and securely store your data at rest. In this
example, mount it at the original mount point /data.
$ mount /dev/mapper/crypt-vdc1 /data
- Remember to unmount the storage unit and close the encrypted device when you aren't using your encrypted data.
$ umount /data $ /sbin/cryptsetup luksClose crypt-vdc1
You can open and mount it again using the
What if you want to delete the instance your storage device is attached to and then re-attach the storage device to a new instance? You can mount the encrypted device using the
mount commands as above, using the same device name (/dev/vdc1).
To delete your encrypted partition and restore your storage device to original, while it's opened and mounted, run the following commands:
$ /sbin/cryptsetup remove crypt-vdc1 $ /sbin/mkfs.ext3 /dev/vdc1
Encrypt a storage unit on Windows Server
Windows Server supports file system encryption natively, so after you provision a Windows instance in SmartCloud Enterprise, you don't have to install any additional encryption tools. The Windows Encrypting File System (EFS) works slightly different than file system encryption on Linux.
Windows EFS is not directly related to Bit Locker. Bit Locker is Windows' whole-drive encryption product, which is licensed in Windows 7 Enterprise and Windows 7 Ultimate, as well as in all versions of Windows Server 2008. EFS doesn't have any special licensing requirements.
In Windows, you can encrypt a directory so that only you can access it. When you specify a directory to be encrypted, Windows generates a key that will automatically decrypt the directory when you log in. You can export your key to share with other users if necessary.
The default encryption algorithm used by EFS is AES with a 256 bit key.
New persistent storage units attached to Windows instances are uninitialized, and so you must initialize and format them before encrypted files can be stored on them.
- Open the Server Manager and select from the left navigation tree. Under Storage, select Disk Management.
- If the attached persistent storage unit is new and hasn't been initialized by another
instance Storage, it appears as an unknown and offline disk, as shown in Figure 1.
Right-click on the disk name, and select Online.
Figure 1. Selecting the storage to initialize
- Right-click the disk name again and select Initialize. Leave the default options and confirm the initialization.
- To format the disk, right-click the unallocated disk to the right of the disk name, and select New Simple Volume.
Once your persistent storage unit is formatted and ready for use, follow these steps:
- Open it in Windows Explorer and create a new folder in it for storing encrypted data.
- Right-click the folder and select Properties, and then click the Advanced button on the General tab.
- At the bottom of the Advanced Attributes window is an option called "Encrypt
contents to secure data". Check this option, click OK, and then click Apply to enable encryption of the folder.
Figure 2. Encrypting the folder
Any data in the encrypted folder is encrypted when you log out of Windows, when the instance is stopped, or when the volume is unmounted.
- Windows stores the encryption key in its local key manager, and you will likely see a notification prompting you to back up your encryption key, as shown in Figure 3. You should consider backing up your encryption key and storing it securely on another device.
Figure 3. Reminder to back up your encryption key
Notice that the name of your encrypted folder now displays as green in Windows Explorer. This indicates the folder is encrypted.
Figure 4. Encrypted folder displayed in green
- To test your new encrypted folder, create a new text document inside the folder and add some text to it. Now log out of your current user, and log into Windows as another user. If you attempt to open the encrypted text document as a user other than the user who encrypted it, you should get an access denied error.
For more information on Windows Encrypting File System and managing your encryption keys, refer to the Microsoft documentation (see Resources.)
Encrypt a home directory on Linux
Next, learn how to use eCryptfs to encrypt data under /home/<users>. SmartCloud Enterprise doesn't support boot volume encryption, but you can still encrypt all the data in your home directory even though the rest of the image is in the clear. You should do this in conjunction with encrypting any persistent disks using dm-crypt, as previously discussed.
eCryptfs currently supports the following ciphers:
AES is the preferred cipher.
The basic steps to set up home directory encryption on Linux include:
- Backup your home directory.
- Prepare the eCryptfs directory structure.
- Mount the encrypted directory.
Encrypt your home directory on Red Hat Enterprise Linux
- Most of the commands require root privileges, so launch a root shell.
$ sudo sh
- Before you can install eCryptfs, you must configure Red Hat Update Infrastructure on SmartCloud Enterprise. (See Resources.)
- Once you've configured an update repository on your server, install eCryptfs and load the module. The
modprobecommand is contained in the /sbin directory and is not on the path by default.
$ yum install ecryptfs-utils $ /sbin/modprobe ecryptfs
- If you have any current data in your home directory, back it up before proceeding. Replace
idcuserwith your username.
$ mv /home/idcuser /home/idcuser.old $ mkdir –m 700 /home/idcuser $ chown idcuser: idcuser /home/idcuser $ /usr/sbin/usermod –d /home/idcuser.old idcuser
- Log out and log back into the system. Now you must prepare the directory structure to
support file system encryption. In this example, a two layer directory
structure where all of your encrypted data is stored in a directory called
.Private, which is mounted on top of your home directory when you want to access it. Again, remember to replace
idcuserwith your username. If you logged out, remember to launch a root shell.
$ sudo sh $ mkdir –p /home/.ecryptfs/idcuser/.Private $ chmod 755 /home/.ecryptfs $ chmod –R 700 /home/.ecryptfs/idcuser $ chown –R idcuser:idcuser /home/.ecryptfs/idcuser $ ln –s /home/.ecryptfs/idcuser/.Private /home/idcuser/.Private $ chmod 500 /home/idcuser
The /home/.ecryptfs directory is the encrypted equivalent of the /home directory. It stores encrypted data of all users and is owned by root. Each user should have his own directory under /home/.ecryptfs, which stores his encrypted data. For example, /home/.ecryptfs/idcuser/.Private. Users can then mount this directory over their /home directory to access their encrypted files.
- In order to mount eCryptfs, you need a kernel keychain session. On SmartCloud
Enterprise Red Hat images, this isn't automatically created for you when you log in, so you need to do it manually with the
keyctlcommand. You might want to automate this step by adding it to your login script.
$ keyctl session
- Mount your eCryptfs directory over your home directory.
$ mount –t ecryptfs /home/idcuser/.Private /home/idcuser
- If this is the first time you are mounting this directory, eCryptfs asks several questions about how you want to set it up. For details about these options, see the eCryptfs readme file on Sourceforge (see Resources). Here are the options we used:
Select key type to use for newly created files: 1) tspi 2) openssl 3) passphrase Selection: 3 Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: 4 Select key bytes: 1) 16 2) 32 Selection : 2 Enable plaintext passthrough (y/n) [n]: y Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_passthrough ecryptfs_key_bytes=32 ecryptfs_cipher=twofish ecryptfs_sig=1848e1d7b8a187fc WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [1848e1d7b8a187fc] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_passthrough ecryptfs_key_bytes=32 ecryptfs_cipher=twofish ecryptfs_sig=1848e1d7b8a187fc Mounted eCryptfs
Remember to use a very secure passphrase and don't lose it, as it is the key to all of your data.
- The previous command creates a new entry in your /etc/mtab file. You can retrieve it with the following command.
$ grep “ecryptfs" /etc/mtab
It should look something like this:
/home/.ecryptfs/idcuser/.Private /home/idcuser ecryptfs rw, ecryptfs_sig=1848e1d7b8a187fc,ecryptfs_cipher=twofish,ecryptfs_key_bytes=32, ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0
- Add the user option just before
rw, and then append the line to your /etc/fstab file so that it looks like this:
/home/.ecryptfs/idcuser/.Private /home/idcuser ecryptfs user,rw, ecryptfs_sig=1848e1d7b8a187fc,ecryptfs_cipher=twofish,ecryptfs_key_bytes=32, ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0
- Unmount the directory so that the user can mount it without root privileges.
$ umount /home/idcuser
- Log out of the system and log back in as your user account, or just exit the root shell. To mount your encrypted directory, you need a keychain session, so run the
keyctlcommand described earlier. You also need to add the passphrase you specified earlier to the keychain using this command:
$ ecryptfs-manager eCryptfs key management menu ------------------------------- 1. Add passphrase key to keyring 2. Add public key to keyring 3. Generate new public/private keypair 4. Exit Make selection: 1 Mount-wide passphrase: Confirm passphrase: Using the default salt value Added key to keyring with signature [1848e1d7b8a187fc].
- You can now mount your encrypted directory over your home directory using this command:
$ mount –i /home/idcuser
While this directory is mounted, you are able to write files to it and use it as normal. When you unmount it, it becomes inaccessible encrypted data. Now is a good time to restore your backed up home directory to your new encrypted home directory.
- To secure your home directory, unmount it and delete the passphrase from your keychain.
$ umount /home/idcuser $ keyctl clear @u
- Various data is leaked to your swap space during application use, so if you're encrypting a home directory, you should also encrypt your swap partition. To do that, follow the approach in the section Encrypt a Storage unit, described earlier in this article.
Encrypt your home directory on SUSE Linux Enterprise Server
To encrypt your home directory (or any other directory) on SUSE Linux Enterprise Server, the steps are the same as for Red Hat, with one difference: To install eCryptfs on SUSE, use this command:
$ yast –I ecryptfs-utils
We've been describing ways to encrypt data at rest inside guest images on SmartCloud Enterprise. There are some limitations:
- When an image is running, the encryption keys are stored in memory. Other vulnerabilities in the running instance might allow those encryption keys or other data to be exposed. Other security configuration and patch management is still required.
- eCryptfs, dm-crypt, and Windows EFS don't support hidden encryption containers. Hidden containers may offer some advantage in hiding data in the event that forensics are being run against the instance.
- The instance must be running before encryption keys can be entered, and so the entire boot volume can't be encrypted with the approach described in this article.
Use strong passphrases
Since these technologies use an encryption key based on a passphrase, you should use strong passphrase complexity rules. As a guideline, a passphrase should:
- Be at least 16 positions in length, when supported by the technology.
- Contain a mix of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mix of at least two types of non-alphabetic characters.
- Not contain a user ID as part of the passphrase.
It's important to secure data in guest images on SmartCloud Enterprise. This article demonstrated the steps to encrypt a storage unit on Linux using dm-crypt, and on Windows using Windows EFS. It also showed how to encrypt a home directory on Linux using eCryptfs.
The authors thank Andrew Jones and Neil Readshaw for editing the original version of this article.
- See a presentation Red Hat presented at JBoss World Summit, On Disk Encryption with Red Hat Enterprise Linux.
- You can learn more about eCryptfs from these sources:
- Also on Arch Linux, read an article about setting up full system encryption using dm-crypt with LUKS.
- If you have SmartCloud Enterprise, you can access the instructions for Configuration for Red Hat Update Infrastructure.
- For more information on Windows Encrypting File System and managing your encryption keys, refer to the Microsoft documentation.
- Learn more about cloud computing technologies at cloud at developerWorks.
- Follow developerWorks on Twitter.
- Watch developerWorks demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Access IBM SmartCloud Enterprise.
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
- Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.