In my previous article, we saw how to encrypt server disks on Windows Operating systems. In this second part, we will see how to encrypt Linux disks. Encrypting your data can be achieved in two ways – Filesystem stacked level encryption and Block device level encryption.
The former is a way to encrypt individual files or directories and this is encrypted by the file system itself. This is achieved by using a stackable cryptographic filesystem that resides on top of the base file system which does not use its own block allocation etc, but could use a directory within the base file system. The other approach is a general-purpose encryption which does not generally encrypt system metadata but the file content is encrypted. By system metadata, I am referring to file names, sizes, modification date-time stamps
Block device level encryption is full disk encryption which encrypts everything on the disk though in many cases, the master boot record (MBR) or a similar area of a bootable disk is unencrypted allowing for the system to load up and prompt the user for a password or key. Encryption is provided in a transparent manner by encrypting and decrypting data on-the-fly. This requires access to the device drivers and usually such software are installed by the administrator.
It is possible to use both forms of encryption on a disk to provide greater level of security.
Full Disk Encryption
VeraCrypt
This is a tool available to both Windows & Linux users and offers full disk encryption at no cost. Available as a single tar file (suitable for all flavors), download and follow the steps to install the tool. Since we are looking to install this via console, we will use the scripts that end with *-setup-console-x64 (or *-setup-console-x86 for 32 bit OSes)
The installation is automated and you will be able to use VeraCrypt from your command line. Please note that the CLI reference page of the publisher (at https://www.veracrypt.fr/en/Command%20Line%20Usage.html) is focused towards Windows, you can easily use the same commands by replacing the / with a –. For e.g. /create is substituted as –create.
Loop-AES
A fast and transparent file system and swap encryption package for Linux. Doesn’t require any changes to the Linux Kernel. Supports 5.x, 4.x, 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
Loop devices are block devices that do not store any data directly but loop all reads and writes to underlying block device or file, possibly encrypting and decrypting data in the process. Normally you don’t write to a loop device directly, but set up a file system on it. The file system will then read from and write to loop device. As mentioned in the name, AES encryption is used and data is encrypted and decrypted in 512 byte chains.
Loop devices guarantee data privacy, but do not guarantee that the ciphertext is not modified. Admins need to ensure that the encrypted data and tools used to access encrypted data are not trojaned or tampered with.
LUKS
LUKS or Linux Unified Key Setup is considered the standard for Linux Disk Encryption. It uses a standard on-disk-format facilitating compatibility among distributions, and also provides secure management of multiple user passwords. LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
LUKS is based on the DMCrypt kernel module. Data is stored in an encrypted LUKS container. It is possible to encrypt the entire disk using LUKS and then use the disk as physical volume and make it part of a volume group which will contain as much logical volumes as we will need, each for every partition we want.
It is possible to install & encrypt your disk using any of the above mentioned encryption methods using a tool called Cryptsetup. Download & instructions are available at https://gitlab.com/cryptsetup/cryptsetup/
Filesystem stacked Encryption
NCryptfs
This is a new stackable encryption that supports multiple concurrent ciphers (software and hardware ciphers) and authentication methods, separate per-user name spaces, ad-hoc groups, challenge-response authentication, and transparent process suspension and resumption based on key validity. According to the developers, the overhead due to installing NCryptfs and encrypting data is minimal and no performance impacts are observed.
A feature of this tool is that there is advanced security provided by a modification to the kernel. The kernel notifies NCryptfs that a process has died, so that associated cleartext pages are flushed out of memory.
You can use a variety of encryption methods such as Blowfish or AES in CFB mode. File data and file names are encrypted in different ways.
eCryptFS
eCryptfs is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of “gnupgfs”, or “gnupg as a filesystem”.
EncFS
EncFS provides an encrypted filesystem in user-space. It runs with regular user permissions using the FUSE (Filesystem in User Space) library.
One of the reasons to use Filesystem Stacked Encryption is that you unlike block system encryption, you can expand the size of the stacked encryption FS based on actual data. Automatic backups are easier, as the backup software will recognize that the file has changed (even though it cannot actually read the contents). Finally, data is encrypted and remains that way until you need it.
Conclusion
Having looked at the various encryption options, it must be stressed that disk encryption is part of the entire security plan for your server. You must also ensure that other pieces such as network security, user-based access controls are setup.
