For sensitive information being stored in the cloud outside your direct control, it is critical to encrypt your data at rest. Full disk encryption helps to protect you against unauthorized indivuduals mounting your volume without a key.
It should be noted that LUKS encryption will not protect your data when it is mounted and viewable by your server. A malicious user could in theory break into your server and traverse to that mount point.
When writing this guide, I am using the following thought process when implementing LUKS on my Cloud Block Storage volume:
– No keys are to be stored on the server. This is for security purposes since your keys shouldn’t be stored on the server. Would you tape the keys to your Porche on the hood? No. The same logic applies here.
– The volume will not be mounted at boot. This is to prevent the server from stopping the boot process for you to enter in the key. Please note that if the server reboots, you will have to manually log in, mount the volume, and type the passphase for the volume before the system can use it again!
This example is going to be specific for CentOS 6.
1. Create your Cloud Block Storage Volumes
In this instance, I am going to be using 2x 100G volumes which are already mounted on my server, and will be setting them up in a RAID 1 configuration.
yum install mdadm cryptsetup-luks cryptsetup-luks-devel mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/xvdb /dev/xvdd
Now confirm the RAID is rebuilding itself by typing:
mdadm --detail /dev/md0
2. Now its time to setup LUKS. This will format your volume, so use caution.
cryptsetup luksFormat /dev/md0
Confirm the contents of the message, then type ‘YES’ in uppercase letters. Then enter a very secure passphrase, and store it somewhere safe. Never store the key on your server!
3. You can verify the results of the encryption process by typing the following:
cryptsetup luksDump /dev/md0
4. Time to mount the encrypted volume and give it a name:
cryptsetup luksOpen /dev/md0 mysecurevolume
5. Finally, lets put a filesystem on it and mount:
mkfs.ext4 /dev/mapper/mysecurevolume mkdir /opt/mysecurevolume mount /dev/mapper/mysecurevolume /opt/mysecurevolume
6. You can check the status to ensure its encrypted by typing:
cryptsetup status mysecurevolume
7. Now disable automount so your server won’t hang on boot waiting for the passphrase:
vi /etc/grub.conf # Append the following at the end of all the kernel lines rd_NO_LUKS
And your done!
To manually mount the volume after a reboot:
cryptsetup luksOpen /dev/md0 mysecurevolume mount /dev/mapper/mysecurevolume /opt/mysecurevolume
To manually umount the volume, type:
umount /dev/mapper/mysecurevolume cryptsetup luksClose mysecurevolume
Remember, full disk encryption utilizing LUKS is only one part of a defense in depth strategy. No security management system is perfect, but each layer you add will help increase your solutions security footprint.