Above the hypervisor: File system encryption on SmartCloud Enterprise

Share this post:

If your job description requires you to store sensitive information of any sort on your work laptop or desktop computer, chances are your company security policy requires you to keep your fixed or removable disk storage encrypted. And if you’re particularly worried about the privacy of the data on your personal computer, for example your bank records, you might even keep your personal computer encrypted. But have you thought about encrypting your instances in a public cloud?

With cloud vendors focusing more and more on public cloud security, businesses are starting to see public cloud infrastructure as a viable resource for running sensitive or regulated workloads. And as more sensitive information makes its way to the cloud, encryption becomes essential. Many encryption products made for personal computers encrypt your entire hard drive and require you to enter a password before the system starts.  That doesn’t translate well to a cloud environment because it would require a cloud provider to expose their hypervisors, which is clearly not good security practice.

Instead, this post shows you how to achieve the next best thing – encrypted partitions above the hypervisor.

IBM SmartCloud Enterprise, like most other cloud providers, allows you to attach a persistent storage device to your running instances in the cloud. These storage devices are ideal candidates for encrypting and storing private data, because they are not deleted when you delete an instance. So let’s go ahead and encrypt one.

First, we’ll need to provision a Linux instance and attach some storage to it, as shown in the following figure. This example demonstrates encryption only on Linux instances; however I cover Windows instances in a future post.

When the instance starts, the persistent storage device will be mounted as the partition /data. The system will assign this partition a name, which we can discover by looking at our /etc/fstab file.

$ cat /etc/fstab/dev/vdc1    /data    ext3    defaults    0 0

The name of our storage device is /dev/vdc1, and we’ll need to remember this for later. Next, we need to install some encryption software from IBM SmartCloud Enterprise’s local yum repository. The tool we need is called encryptfs, and it can be installed from the command line as shown in the next example (you’ll need to be the root user to perform this task so be sure to elevate your permissions beforehand).

$ yum install encryptfs-utils$ /sbin/modprobe ecryptfs

Now, we need to prepare the attached storage unit for encryption. This simply involves unmounting the device and modifying the mount point permissions.

$ umount /data$ chmod 000 /data

The next step is to initialize our soon to be encrypted partition. We use the cryptsetup command to do this, which is contained in the encryptfs-utils package we just installed. This command prompts you to enter an encryption passphrase, which you need to remember if you ever want to access your data again.

$ /sbin/cryptsetup luksFormat /dev/vdc1



This will overwrite data on /dev/vdc1 irrevocably.


Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.

The previous command encrypted our storage device, now we need to open it so we can use it. Opening the encrypted device requires us to enter the passphrase we used to encrypt it. The first argument of this command is the name of the encrypted device, and the second argument is any name you want to assign to the opened device.

$ /sbin/cryptsetup luksOpen /dev/vdc1 crypt-vdc1Enter LUKS passphrase for /dev/vdc1:

key slot 0 unlocked.

Command successful.

Now, we have a raw encrypted partition to play with, but before we can store anything meaningful on it, we need to format the partition. Note that the name used in this command is the name we chose in the previous step.

$ /sbin/mkfs.ext3 /dev/mapper/crypt-vdc1

And that’s all there is to it! Now you can store anything you want under /data and feel all warm and fuzzy because your data is encrypted. Just remember to close the partition when you’re not using it like so:

$ umount /data$ /sbin/cryptsetup luksClose crypt-vdc1

This command ensures that no one can mount your encrypted partition without providing your secret passphrase. But therein lies the biggest caveat to this approach – while your partition is open, anyone with access to your instance can read the encrypted data, just as anyone can read the data on your encrypted laptop while it is running. It is also worth noting that this approach does not encrypt your swap space, which is used by many applications to store temporary data. Swap space encryption requires several extra steps, which I’ll make sure to provide in a future article.

This example was developed with Red Hat Enterprise Linux in mind, and also works on SUSE Enterprise Linux Server. The same encryption approach can easily be achieved on Windows, and you can look forward to an example of it on this blog in the not too distant future.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading