We see the headlines all the time: "Company X Loses 30,000,000 Customer Social Security Numbers and Other Intimately Personal and Financial Data! Haha, Boy Are Our Faces Red!" And it always turns out to be some "contractor" (notice how it's never an employee) who had the entire wad on a laptop with (seemingly) a terabyte hard drive, which was then lost or stolen, but nobody is quite sure where or when. Or it's a giant box of backup tapes that was being transported by a vendor, who apparently cannot afford a vehicle with locking doors. To me it sounds pretty darned lame, even surreal; why in the heck do contractors get all that sensitive data in the first place, and why do they need the world's databases on their laptops? Why are giant boxes of sensitive backup tapes being carted around by some minimum-wage kid in a beatermobile? How come they never quite know what data is missing, and if it was encrypted or protected in any way?
So many questions, so few answers. Today let us focus on the issue of protecting sensitive data on hard drives with encrypted file systems. This is for your mobile users and anyone who needs extra data security on workstations and servers. We're going to use cryptsetup-luks because it is easy and it is strong. We will create an encrypted partition that requires a passphrase only at mount time. Then you can use it just like any other partition.
Debian, Ubuntu, and Fedora all come ready to run cryptsetup-luks. You won't need to hack kernels or anything; just install it. On Debian and the Buntu family:
# aptitude install cryptsetup
# yum install cryptsetup-luks
Preparing Your System
Unfortunately cryptsetup cannot encrypt your existing data; you must create an encrypted partition, then move your data to it. The easy way to manage your partitions is with GParted. GParted (the Gnome Partition editor) is available on all the major Linux distributions, and is a nice graphical front-end to fdisk, mkfs, and other filesystem utilities. With GParted you can resize, move, delete and create partitions, and format them with your favorite filesystem. It supports all the partition types and filesystems supported by your kernel, so you can even use it on Windows partitions on your dual-boot boxes. You can use the GParted live CD on new empty hard drives.
We're just going to encrypt data partitions. There are ways to encrypt other filesystem partitions that hold potentially sensitive data, such as /var and /etc, but it is complex and tricky because these cannot be encrypted at boot. So I am going to chicken out and merely point to a page that tells how to do this in Resources, because in my own testing I have not gotten it working reliably. Yet.
It doesn't matter if you format your partition with a filesystem at this point because everything will be overwritten, and the filesystem formatted after encryption.
Your encrypted partition will be protected by a password. If you lose your password, you are so out of luck- your data will not be recoverable.
Encrypting the Partition
Once you have a nice new empty partition, you'll encrypt it with the cryptsetup command. Be very sure you are encrypting the correct partition:
# cryptsetup --verbose --verify-passphrase -c aes-cbc-plain luksFormat /dev/sda2 WARNING! ======== This will overwrite data on /dev/sda2 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.This creates the encrypted partition. Now you need to create and name a mountable logical partition. In this example, it is named sda2, which could be test or fred or mysecretpartition, or anything you want:
# cryptsetup luksOpen /dev/sda2 sda2 Enter LUKS passphrase: key slot 0 unlocked. Command successful.
This should show as a block device in /dev/mapper:
$ ls -l /dev/mapper total 0 crw-rw---- 1 root root 10, 63 2007-06-09 18:38 control brw-rw---- 1 root disk 254, 0 2007-06-09 19:46 sda2
Now put a filesystem on the logical partition:
# mkfs.ext3 /dev/mapper/sda2
Now you need to make a mount point so you can mount and use this nice new encrypted partition. Remember, you must use the device name is from /dev/mapper/. I'll put it in my home directory. Watch for operations that require rootly powers:
$ mkdir /home/me/crypted # mount /dev/mapper/sda1 /home/me/crypted
Confirm that it mounted, and write a test file:
# df -H [...] Filesystem Size Used Avail Use% Mounted on /dev/mapper/sda2 7.9G 152M 7.3G 3% /home/carla/crypted # cd /home/me/crypted # nano test # ls lost+found test
Making it Available to Users
So far so good! But there is one big problem: only root can access this partition. We need our ordinary user to be able to use it. This virtual partition can be managed in /etc/fstab, just like any other partition. So add a line to /etc/fstab to allow an unprivileged user to mount and unmount the partition:
/dev/mapper/sda2 /home/carla/crypted ext3 user,atime,noauto,rw,dev,exec,suid 0 0
Now Carla can mount it herself:
$ mount ~/crypted
But Carla still cannot write to it. For this we need rootly powers one more time, to put the correct ownership and permissions on the mounted block device:
# chown carla:carla /home/carla/crypted/ # chmod 0700 /home/carla/crypted/
Ok then, that's a lot of Carlas! But now Carla has her own encrypted directory to read and write to just like any other directory in her home directory, and no one else can touch it.
You may unmount and shut off the encrypted partition manually like this:
$ umount crypted # cryptsetup luksClose sda2
You'll need your LUKS password only when you open the encrypted device. Remember, if you lose this password you are toast. You may delete the partition and start over, but your data are unrecoverable. Once the encrypted device is open and mounted, you may use it like any other partition.
You need root powers to run cryptsetup. This is probably not ideal for your users. There are a number of different ways to handle this. One is to use sudo; *buntu users are already set up with an all-powerful sudo. Another option is to configure it to start up at boot, and close at shutdown. Or you might want to create some nice desktop icons so your users can start it up and shut it down easily on demand.
We'll learn how to do these things next week, plus we'll learn how to encrypt USB keys, and how to set up a failsafe for a lost passphrase.