Above the hypervisor: File system encryption on SmartCloud Enterprise


If your job description requires you to store sensitive information of any sort on your work laptop or desktop computer, chances are your company security policy requires you to keep your fixed or removable disk storage encrypted. And if you’re particularly worried about the privacy of the data on your personal computer, for example your bank records, you might even keep your personal computer encrypted. But have you thought about encrypting your instances in a public cloud?

With cloud vendors focusing more and more on public cloud security, businesses are starting to see public cloud infrastructure as a viable resource for running sensitive or regulated workloads. And as more sensitive information makes its way to the cloud, encryption becomes essential. Many encryption products made for personal computers encrypt your entire hard drive and require you to enter a password before the system starts.  That doesn’t translate well to a cloud environment because it would require a cloud provider to expose their hypervisors, which is clearly not good security practice.

Instead, this post shows you how to achieve the next best thing – encrypted partitions above the hypervisor.

IBM SmartCloud Enterprise, like most other cloud providers, allows you to attach a persistent storage device to your running instances in the cloud. These storage devices are ideal candidates for encrypting and storing private data, because they are not deleted when you delete an instance. So let’s go ahead and encrypt one.

First, we’ll need to provision a Linux instance and attach some storage to it, as shown in the following figure. This example demonstrates encryption only on Linux instances; however I cover Windows instances in a future post.

When the instance starts, the persistent storage device will be mounted as the partition /data. The system will assign this partition a name, which we can discover by looking at our /etc/fstab file.

$ cat /etc/fstab/dev/vdc1    /data    ext3    defaults    0 0

The name of our storage device is /dev/vdc1, and we’ll need to remember this for later. Next, we need to install some encryption software from IBM SmartCloud Enterprise’s local yum repository. The tool we need is called encryptfs, and it can be installed from the command line as shown in the next example (you’ll need to be the root user to perform this task so be sure to elevate your permissions beforehand).

$ yum install encryptfs-utils$ /sbin/modprobe ecryptfs

Now, we need to prepare the attached storage unit for encryption. This simply involves unmounting the device and modifying the mount point permissions.

$ umount /data$ chmod 000 /data

The next step is to initialize our soon to be encrypted partition. We use the cryptsetup command to do this, which is contained in the encryptfs-utils package we just installed. This command prompts you to enter an encryption passphrase, which you need to remember if you ever want to access your data again.

$ /sbin/cryptsetup luksFormat /dev/vdc1 



This will overwrite data on /dev/vdc1 irrevocably.


Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.

The previous command encrypted our storage device, now we need to open it so we can use it. Opening the encrypted device requires us to enter the passphrase we used to encrypt it. The first argument of this command is the name of the encrypted device, and the second argument is any name you want to assign to the opened device.

$ /sbin/cryptsetup luksOpen /dev/vdc1 crypt-vdc1Enter LUKS passphrase for /dev/vdc1:

key slot 0 unlocked.

Command successful.

Now, we have a raw encrypted partition to play with, but before we can store anything meaningful on it, we need to format the partition. Note that the name used in this command is the name we chose in the previous step.

$ /sbin/mkfs.ext3 /dev/mapper/crypt-vdc1

And that’s all there is to it! Now you can store anything you want under /data and feel all warm and fuzzy because your data is encrypted. Just remember to close the partition when you’re not using it like so:

$ umount /data$ /sbin/cryptsetup luksClose crypt-vdc1

This command ensures that no one can mount your encrypted partition without providing your secret passphrase. But therein lies the biggest caveat to this approach – while your partition is open, anyone with access to your instance can read the encrypted data, just as anyone can read the data on your encrypted laptop while it is running. It is also worth noting that this approach does not encrypt your swap space, which is used by many applications to store temporary data. Swap space encryption requires several extra steps, which I’ll make sure to provide in a future article.

This example was developed with Red Hat Enterprise Linux in mind, and also works on SUSE Enterprise Linux Server. The same encryption approach can easily be achieved on Windows, and you can look forward to an example of it on this blog in the not too distant future.

Comments: 1
Stephen Viselli

About Stephen Viselli

Steve works in the IBM Gold Coast development lab in Australia, which has its own cloud used internally for development and testing on multiple platforms. He works on the Tivoli Federated Identity Manager product and is heavily involved in implementing open standards to support cloud security. Follow him on Twitter @SteveViselli.
This entry was posted in Security and tagged , , , , , , , , , , , . Bookmark the permalink.

One Response to Above the hypervisor: File system encryption on SmartCloud Enterprise

  1. Jonathan says:

    I guess the encryption only makes sense. Any decent online document storage system should automatically come with one to make securing files easier.

Comments are closed.