If your job description requires you to store sensitive information of any sort on your work laptop or desktop computer, chances are your company security policy requires you to keep your fixed or removable disk storage encrypted. And if you’re particularly worried about the privacy of the data on your personal computer, for example your bank records, you might even keep your personal computer encrypted. But have you thought about encrypting your instances in a public cloud?
With cloud vendors focusing more and more on public cloud security, businesses are starting to see public cloud infrastructure as a viable resource for running sensitive or regulated workloads. And as more sensitive information makes its way to the cloud, encryption becomes essential. Many encryption products made for personal computers encrypt your entire hard drive and require you to enter a password before the system starts. That doesn’t translate well to a cloud environment because it would require a cloud provider to expose their hypervisors, which is clearly not good security practice.
Instead, this post shows you how to achieve the next best thing – encrypted partitions above the hypervisor.
IBM SmartCloud Enterprise, like most other cloud providers, allows you to attach a persistent storage device to your running instances in the cloud. These storage devices are ideal candidates for encrypting and storing private data, because they are not deleted when you delete an instance. So let’s go ahead and encrypt one.
First, we’ll need to provision a Linux instance and attach some storage to it, as shown in the following figure. This example demonstrates encryption only on Linux instances; however I cover Windows instances in a future post.
When the instance starts, the persistent storage device will be mounted as the partition /data. The system will assign this partition a name, which we can discover by looking at our /etc/fstab file.
|$ cat /etc/fstab/dev/vdc1 /data ext3 defaults 0 0|
The name of our storage device is /dev/vdc1, and we’ll need to remember this for later. Next, we need to install some encryption software from IBM SmartCloud Enterprise’s local yum repository. The tool we need is called encryptfs, and it can be installed from the command line as shown in the next example (you’ll need to be the root user to perform this task so be sure to elevate your permissions beforehand).
|$ yum install encryptfs-utils$ /sbin/modprobe ecryptfs|
Now, we need to prepare the attached storage unit for encryption. This simply involves unmounting the device and modifying the mount point permissions.
|$ umount /data$ chmod 000 /data|
The next step is to initialize our soon to be encrypted partition. We use the cryptsetup command to do this, which is contained in the encryptfs-utils package we just installed. This command prompts you to enter an encryption passphrase, which you need to remember if you ever want to access your data again.
|$ /sbin/cryptsetup luksFormat /dev/vdc1
This will overwrite data on /dev/vdc1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
The previous command encrypted our storage device, now we need to open it so we can use it. Opening the encrypted device requires us to enter the passphrase we used to encrypt it. The first argument of this command is the name of the encrypted device, and the second argument is any name you want to assign to the opened device.
|$ /sbin/cryptsetup luksOpen /dev/vdc1 crypt-vdc1Enter LUKS passphrase for /dev/vdc1:
key slot 0 unlocked.
Now, we have a raw encrypted partition to play with, but before we can store anything meaningful on it, we need to format the partition. Note that the name used in this command is the name we chose in the previous step.
|$ /sbin/mkfs.ext3 /dev/mapper/crypt-vdc1|
And that’s all there is to it! Now you can store anything you want under /data and feel all warm and fuzzy because your data is encrypted. Just remember to close the partition when you’re not using it like so:
|$ umount /data$ /sbin/cryptsetup luksClose crypt-vdc1|
This command ensures that no one can mount your encrypted partition without providing your secret passphrase. But therein lies the biggest caveat to this approach – while your partition is open, anyone with access to your instance can read the encrypted data, just as anyone can read the data on your encrypted laptop while it is running. It is also worth noting that this approach does not encrypt your swap space, which is used by many applications to store temporary data. Swap space encryption requires several extra steps, which I’ll make sure to provide in a future article.
This example was developed with Red Hat Enterprise Linux in mind, and also works on SUSE Enterprise Linux Server. The same encryption approach can easily be achieved on Windows, and you can look forward to an example of it on this blog in the not too distant future.