Thursday, July 9, 2009

Encrypted Filesystems

I am doing work on a project and the client has a requirement that all data, including documentation, config data, and anything else related to the project be stored on an encrypted filesystem. We are going to be using a Microsoft Project Server 2007 with project web access and webdav for document libraries. So, I need to figure out how to encrypt the data stored in the SQL Server 2005, and all the other places.

The easiest way to architect this solution was to simply install the whole standalone project server as a virtual machine and have the virtual machine files reside on an encrypted filesystem.

So, step 1, install a box with an encrypted volume. I am going to use my current OS of choice, Ubuntu Server 8.04.1. I found a great reference article using the Google debugger to use as a guide, see My implementation is going to vary slightly, but this is the document I am using as my reference.

So the first thing I did was install Ubuntu Server 8.04.1 from the CD. My partitioning is somewhat complicated, but nothing crazy. The box I am using has 6 drive bays filled with drives. I used the onboard raid controller to make two arrays, the first is a mirror of two 36 GB drives and the second is a raid 5 array of the other four 320 GB drives. Ubuntu sees two drives, /dev/sda and /dev/sdb. I formatted /dev/sda into two filesystems, a SWAP partition with 4GB and the rest was made as the / partition. The /dev/sdb drive I left unformatted, I will be using that for my encrypted filesystem.

When going through the install, I selected all of the defaults, only adding the openssh-server so I don't have to use the console in the server room. Once the install finished, I SSH'd into the box from my desk and ran the following two commands to update my server to the latest patches and reboot.
sudo apt-get update
sudo apt-get dist-upgrade
sudo init 6
After the reboot, I needed to add a couple additional packages, so I ran the following command to add them.
sudo apt-get install cryptsetup hashalot initramfs-tools

After those packages were added, I skipped down the document to the "Create the encrypted partition" section and started with those steps.
sudo modprobe dm_crypt
sudo modprobe sha256
sudo luksformat -t ext3 /dev/sdb

Note: I did get a warning, but it has not seemed to cause any problems.
WARNING: Error inserting padlock_sha (/lib/modules/2.6.24-24-server/kernel/drive
rs/crypto/padlock-sha.ko): No such device

After the volume has been formatted, I created a new mount point for it on /cryptvol. I ran the following commands to mount the volume where I wanted it.
sudo mkdir /cryptvol
sudo cryptsetup luksOpen /dev/sdb cryptvol
sudo mount /dev/mapper/cryptvol /cryptvol

When I ran the cryptsetup command, I was prompted or my password. After entering it the command finish and I was able to mount my new volume. Next order of business is to create some kind of documentation on the box to tell me those two commands. I opted to create a file called /readme.cryptedfs with the commands to mount this file system. I did not want to have it automatically mounted, I want a user to be forced to log into this box and enter the password manually to mount this volume after a (re)boot. I also created a sym link to this file in the /cryptvol directory when the filesystem is not mounted to the directory, just in case someone goes there looking for something, they see one file.

And its that simple, I now have a completely encrypted volume on a server. In order to mount this volume a password must be provided.

No comments:

Post a Comment