On Disk Encryption with Red Hat Enterprise Linux



Similar documents
How you configure Iscsi target using starwind free Nas software & configure Iscsi initiator on Oracle Linux 6.4

BackTrack Hard Drive Installation

Backtrack 4 Bootable USB Thumb Drive with Full Disk Encryption

Encrypting Your Files. Because nobody else will And would you trust them if they did?

How To Set Up Software Raid In Linux (Amd64)

Using Red Hat Enterprise Linux with Georgia Tech's RHN Satellite Server Installing Red Hat Enterprise Linux

Navigating the Rescue Mode for Linux

Using Secure4Audit in an IRIX 6.5 Environment

HP LeftHand SAN Solutions

Installing Ubuntu LTS with full disk encryption

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

Drobo How-To Guide. What You Will Need. Use a Drobo iscsi Array with a Linux Server

WES 9.2 DRIVE CONFIGURATION WORKSHEET

USB 2.0 Flash Drive User Manual

Managing Software and Configurations

System administration basics

NATIONAL POPULATION REGISTER (NPR)

Notes for Installing RedHawk 6.3 with Red Hat Enterprise Linux 6.3. Installation Notes. November 6 th, 2014

VOICE IMPROVEMENT PROCESSOR (VIP) BACKUP AND RECOVERY PROCEDURES - Draft Version 1.0

EVault Software. Course 361 Protecting Linux and UNIX with EVault

Deploying a Virtual Machine (Instance) using a Template via CloudStack UI in v4.5.x (procedure valid until Oct 2015)

PA-5000 Series SSD Storage Options Configuring RAID and Disk Backup

Creating a Cray System Management Workstation (SMW) Bootable Backup Drive

VERALAB LDAP Configuration Guide

Encryption Security Recommendations

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Using Encrypted File Systems with Caché 5.0

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Using Network Attached Storage with Linux. by Andy Pepperdine

Other trademarks and Registered trademarks include: LONE-TAR. AIR-BAG. RESCUE-RANGER TAPE-TELL. CRONY. BUTTSAVER. SHELL-LOCK

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

User Manual for Data Backups

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

Configure NFS Staging for ACS 5.x Backup on Windows and Linux

RapidSeed for Replicating Systems Version 7.4

WiMAX Public Key Infrastructure (PKI) Users Overview

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

ThinkServer RD550 and RD650 Operating System Installation Guide

Installing Sun's VirtualBox on Windows XP and setting up an Ubuntu VM

RocketRAID 2640/2642 SAS Controller Ubuntu Linux Installation Guide

1. Open the Account Settings window by clicking on Account Settings from the Entourage menu.

Time Stamp. Instruction Booklet

INF-110. GPFS Installation

Parallels Virtuozzo Containers 4.7 for Linux

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

Planning for an Amanda Disaster Recovery System

How to Restore a Linux Server Using Bare Metal Restore

EXPLORING LINUX KERNEL: THE EASY WAY!

OpenGeo Suite for Linux Release 3.0

Linux System Administration on Red Hat

YubiKey OSX Login. yubico. Via Yubico-PAM Challenge-Response. Version 1.6. October 24, 2015

Linux Template Creation Guide. How to build your own Linux VM templates for deployment in Cloudturk.

ThinkServer RD540 and RD640 Operating System Installation Guide

Rev C. DBDS Backup and Restore Procedures For System Release 2.2 Through 4.3

Introduction to Operating Systems

FIPS Security Policy

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

How to enable Disk Encryption on a laptop

Windows Symantec Encryption Desktop (PGP) Install Guide. Symantec Encryption Desktop (PGP) Windows system requirements

Signiant Agent installation

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

Parallels Cloud Server 6.0

Comodo Disk Encryption

Linux - CentOS 6 Install Guide

CPSC 2800 Linux Hands-on Lab #7 on Linux Utilities. Project 7-1

Open Source Encrypted Filesystems for Free Unix Systems

CBMR for Linux v6.2.2 User Guide

Viking VPN Guide Linux/UNIX

Installing IBM Websphere Application Server 7 and 8 on OS4 Enterprise Linux

Yale Software Library

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

CA Workload Automation Agent for UNIX, Linux, or Windows

Backing up and restoring HP Systems Insight Manager 6.0 or greater data files in a Windows environment

Abstract. Microsoft Corporation Published: August 2009

PGP Desktop Quick Start Guide version 9.6

Symantec File Share Encryption Quick Start Guide Version 10.3

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

Linux Disaster Recovery best practices with rear

Provide instructions for installing the VMware View Client a non-wellmont device. These instructions are for a Windows based OS.

Acronis Backup & Recovery for Mac. Acronis Backup & Recovery & Acronis ExtremeZ-IP REFERENCE ARCHITECTURE

USB FLASH DRIVE. User s Manual. USB 2.0 Compliant. Version A Version A10

Restoring a Suse Linux Enterprise Server 9 64 Bit on Dissimilar Hardware with CBMR for Linux 1.02

Upgrading Redwood Engine Software. Version 2.0.x to 3.1.0

USB Bare Metal Restore: Getting Started

Weston Public Schools Virtual Desktop Access Instructions

GIAC Introduction to Security Fundamentals. Laptop and External Drive Configuration Guide Version 1.2 SEC301

Using iscsi with BackupAssist. User Guide

Abstract. Microsoft Corporation Published: November 2011

EVault for Data Protection Manager. Course 361 Protecting Linux and UNIX with EVault

Partek Flow Installation Guide

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

LSN 10 Linux Overview

EMC AVAMAR 6.0 GUIDE FOR IBM DB2 P/N REV A01 EMC CORPORATION CORPORATE HEADQUARTERS: HOPKINTON, MA

Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5. Version 1.0

Series 4 and Series 5 Hardware Appliance Imaging Guide

Transcription:

On Disk Encryption with Red Hat Enterprise Linux Author: Contact: Copyright: URL: Bowe Strickland, Curriculum Manager bowe@redhat.com Copyright 2011, Red Hat, Inc. All rights reserved. http://people.redhat.com/~bowe/summit/2011/tot/on_disk_encryption Contents On Disk Encryption with Red Hat Enterprise Linux On Disk Encryption Goal Problems Addressed Problems Not Addressed Two Fundamental Approaches supported in RHEL Block Device Encryption with dm-crypt and LUKS Block Device Encryption dm-crypt / LUKS Scenario: Protecting a User Laptop Demonstration ecrypt-fs ecryptfs Filesystem Scenario: Creating a Private Directory Demonstration Creating Private Directories for end users Procedure Labs Encrypting the /home partition Creating an encrypted ~/Private directory. 1 of 13

On Disk Encryption Goal Securing "Data at Rest": Protecting information stored on disk when it's not "in use". Problems Addressed Laptops in "steal me" cases USB thumb drives left in parking garages personal financial information only used once a month Sensitive data archives Problems Not Addressed Data being actively read or written by an application Relies on trusted computer architecture (permissions, SELinux,...) Data in motion over a network Relies on TLS,... Keyboard Sniffers Relies on physical security... Two Fundamental Approaches supported in RHEL dm-crypt: Block Layer Encryption Encrypts an entire volume Implemented via device mapper Presents a virtual plaintext block device backed by a ciphertext block device ecryptfs: File System Encryption 2 of 13

Encrypts individual files Implemented as a layered file system Presents a plaintext file Block Device Encryption with dm-crypt and LUKS Block Device Encryption dm-crypt / LUKS Introduced in RHEL 5 Requires cryptsetup-luks dm-crypt provides the capability LUKS defines the key management and on disk format 3 of 13

Scenario: Protecting a User Laptop Encrypt /home partition (/dev/sda3) Leave installed OS unencrypted Demonstration 1. Initialize device with random data: cat /dev/urandom [root@station ~]# cat /dev/urandom > /dev/sda5 cat: write error: No space left on device 2. Format LUKS encryption layer: cryptsetup luksformat [root@station ~]# cryptsetup luksformat /dev/sda5 WARNING! ======== This will overwrite data on /dev/sda5 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: shazbot Verify passphrase: shazbot 3. Open LUKS encryption layer: cryptsetup [root@station ~]# cryptsetup luksopen /dev/sda5 home_plaintext Enter passphrase for /dev/sda5: shazbot # for the curious [root@station ~]# ls -l /dev/mapper/ total 0 crw-rw----. 1 root root 10, 58 May 4 12:12 control lrwxrwxrwx. 1 root root 7 May 4 12:40 home_plaintext ->../dm-0 # for the more curious [root@station ~]# dmsetup table home_plaintext: 0 1044480 crypt aes-cbc-essiv:sha256 000...000 0 252:5 4096 4. Format the filesystem: mkfs [root@station ~]# mkfs.ext4 /dev/mapper/home_plaintext mke2fs 1.41.12 (17-May-2010)... This filesystem will be automatically checked every 36 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. 4 of 13

5. Mount the filesystem: mount [root@station ~]# grep home /etc/fstab /dev/mapper/home_paintext /home ext4 defaults 0 0 [root@station ~]# mount -a [root@station ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 4.0G 1.4G 2.4G 37% / tmpfs 246M 0 246M 0% /dev/shm /dev/sda1 248M 30M 206M 13% /boot /dev/mapper/home_plaintext 494M 11M 459M 3% /home 6. Register the encrypted drive: /etc/crypttab [root@station ~]# man crypttab [root@station ~]# grep home /etc/crypttab home_plaintext /dev/vda5 7. Reboot and confirm ecrypt-fs ecryptfs Filesystem Introduced in RHEL-6 Requires ecryptfs-utils FEK: File Encryption Key (on per file) FEKEK: File Encryption Key Encryption Key (on per mount) 5 of 13

Scenario: Creating a Private Directory Create a directory ~/Private whose contents are encrypted Files outside of ~/Private are plaintext Demonstration 1. Ensure the software is installed: yum [root@station ~]# yum install -y ecryptfs-utils gettext Loaded plugins: refresh-packagekit, rhnplugin... Installed: ecryptfs-utils.x86_64 0:82-6.el6 Dependency Installed: cvs.x86_64 0:1.11.23-11.el6 libgomp.x86_64 0:4.4.4-13.el6 gettext.x86_64 0:0.17-16.el6 keyutils.x86_64 0:1.4-1.el6 trousers.x86_64 0:0.3.4-4.el6 Complete! 2. Create a lower and upper directory: ~/.Private, ~/Private [root@station ~]$ mkdir -m 700 ~/.Private [root@station ~]$ mkdir -m 500 ~/Private 3. Mount the upper directory for the first time: mount -t ecryptfs [root@station ~]$ mount -t ecryptfs.private Private Select key type to use for newly created files: 1) openssl 2) passphrase 3) tspi Selection: 2 Passphrase: 6 of 13

Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=be9b09a528a8651c WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [be9b09a528a8651c] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Mounted ecryptfs 4. Try it out: [root@station ~]$ cal 1752 > ~/Private/weird_year.txt [root@station ~]$ cat ~/Private/weird_year.txt 1752 January February March Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa 1 2 3 4 1 1 2 3 4 5 6 7 5 6 7 8 9 10 11 2 3 4 5 6 7 8 8 9 10 11 12 13 14... 31 July August September Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa 1 2 3 4 1 1 2 14 15 16 5 6 7 8 9 10 11 2 3 4 5 6 7 8 17 18 19 20 21 22 23 12 13 14 15 16 17 18 9 10 11 12 13 14 15 24 25 26 27 28 29 30 19 20 21 22 23 24 25 16 17 18 19 20 21 22 26 27 28 29 30 31 23 24 25 26 27 28 29 30 31... [root@station ~]$ cat ~/.Private/weird_year.txt (... binary ciphertext...) 5. Unmount the upper filesystem 7 of 13

[root@station ~]# umount ~/Private 6. Access the filesystem again: [root@station ~]# mount -t ecryptfs.private Private Select key type to use for newly created files: 1) tspi 2) passphrase 3) openssl Selection: 2 Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=0b1460fdbe4ce020 Mounted ecryptfs Creating Private Directories for end users ecryptfs-utils provides convenience scripts ecryptfs-setup-private ecryptfs-mount-private ecryptfs-umount-private Provides several conveniences elevates privilege for mounting and unmounting Requires membership in group ecryptfs wraps FEKEK passphrase with login passphrase Procedure 1. Ensure the user is a member of the group ecryptfs 8 of 13

[root@station ~]# usermod -G ecryptfs prince [root@station ~]# id prince uid=501(prince) gid=501(prince) groups=501(prince),489(ecryptfs) 2. Setup the private directory: ecryptfs-setup-private [prince@station ~]$ ecryptfs-setup-private Enter your login passphrase: Enter your mount passphrase [leave blank to generate one]: ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. Testing mount/write/umount/read... Testing succeeded. Logout, and log back in to begin using your encrypted directory. 3. Examine the unmounted directory: [prince@station ~]$ ls Private/ Access-Your-Private-Data.desktop README.txt [prince@station ~]$ cat Private/README.txt THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA. From the graphical desktop, click on: "Access Your Private Data" or From the command line, run: ecryptfs-mount-private 4. Mount the private directory: ecryptfs-mount-private [prince@station ~]$ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [cfa25b7ea56bf148] into the user session keyring 5. Use the upper directory: [prince@station ~]$ ls Private/ [prince@station ~]$ cal > Private/calendar.txt [prince@station ~]$ head -3 Private/calendar.txt May 2011 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 6. Examine the lower directory: 9 of 13

[prince@station ~]$ ls ~/.Private/ ECRYPTFS_FNEK_ENCRYPTED.FWal9veJf-KsekRSh8hEpQYK4fIgutwbjEoEBPttMaVSU5yrvxCv vzs0uu-- [prince@station ~]$ head -3 ~/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWal9veJf-Kse krsh8hepqyk4figutwbjeoebpttmavsu5yrvxcvvzs0uu-- (... encrypted ciphertext...) 7. When finished, unmount the private directory: ecryptfs-umount-private [prince@station ~]$ ecryptfs-umount-private [prince@station ~]$ ls Private/ Access-Your-Private-Data.desktop README.txt Labs Encrypting the /home partition 1. Login into your station as root. 2. Preserve the contents of you /home partition by archiving to the /tmp directory: [root@station ~]# rsync -av /home /tmp 3. Unmount the existing /home partition: [root@station ~]# umount /home 4. In practice, you should initialize the device with random data. For the purposes of this lab, this time consuming step can be skipped: # you may omit this step [root@station ~]# cat /dev/urandom > /dev/vol0/home 5. Initialize the LUKS formatting on the block device. When prompted, provide a password of your choosing, but do not forget the password: [root@station ~]# cryptsetup luksformat /dev/vol0/home 6. Open the initialized device, using home_plaintext as the name of the manufactured plaintext interface: 10 of 13

[root@station ~]# cryptsetup luksopen /dev/vol0/home home_plaintext 7. Create an ext4 filesystem: [root@station ~]# mkfs.ext4 /dev/mapper/home_plaintext 8. Create a /etc/fstab entry which mounts the /dev/mapper/home_plaintext interface to the /home mountpoint: [root@station ~]# grep home /etc/fstab /dev/mapper/home_paintext /home ext4 defaults 0 0 9. Mount the partition, using the /etc/fstab entry to ensure correctness: [root@station ~]# mount -a 10. Restore the original data to the /home partition: [root@station ~]# rsync -av /tmp/home/ /home 11. In order to automatically open the encrypted device on bootup, add the following entry to the /etc/crypttab file: [root@station ~]# grep home /etc/crypttab home_plaintext /dev/vol0/home 12. Reboot your station to confirm a clean reboot. Creating an encrypted ~/Private directory. 1. 2. Login into your station as the user student. Open a terminal, and su to the root account: [student@station ~]$ su - [root@station ~]# 3. Install the ecryptfs-utils and gettext packages: [root@station ~]# yum install -y ecryptfs-utils gettext 4. Add the user student to the ecryptfs group, and exit: 11 of 13

[root@station ~]# usermod -G ecryptfs student [root@station ~]# id student [root@station ~]# exit [student@station ~]$ 5. As the user student, run the command ecryptfs-setup-private. Authenticate with your login password, and accept defaults for all remaining questions: [student@station ~]$ ecryptfs-setup-private 6. 7. The newly created ~/Private directory can be mounted with ecryptfs-mount-private and unmounted with ecryptfs-umountprivate. Copy file into the mounted directory, and observe their ciphertext equivalents in ~/.Private. Preserve the contents of the /home partition by archiving to the /tmp directory: [root@station ~]# rsync -av /home /tmp 8. Unmount the existing /home partition: [root@station ~]# umount /home 9. In practice, you should initialize the device with random data. For the purposes of this lab, this time consuming step can be skipped: # you may omit this step [root@station ~]# cat /dev/urandom > /dev/vol0/home 10. Initialize the LUKS formatting on the block device. When prompted, provide a password of your choosing, but do not forget the password: [root@station ~]# cryptsetup luksformat /dev/vol0/home 11. Open the initialized device, using home_plaintext as the name of the manufactured plaintext interface: [root@station ~]# cryptsetup luksopen /dev/vol0/home home_plaintext 12. Create an ext4 filesystem: [root@station ~]# mkfs.ext4 /dev/mapper/home_plaintext 13. Create a /etc/fstab entry which mounts the /dev/mapper/home_plaintext interface to the /home mountpoint: 12 of 13

[root@station ~]# grep home /etc/fstab /dev/mapper/home_paintext /home ext4 defaults 0 0 14. Mount the partition, using the /etc/fstab entry to ensure correctness: [root@station ~]# mount -a 15. Restore the original data to the /home partition: [root@station ~]# rsync -av /tmp/home/ /home 16. In order to automatically open the encrypted device on bootup, add the following entry to the /etc/crypttab file: [root@station ~]# grep home /etc/crypttab home_plaintext /dev/vol0/home 17. Reboot your station to confirm a clean reboot. 13 of 13