4

I have a Debian Lenny server running a production application. Recently, we are being asked by a consultant to enable disk encryption for data security. He believes full disk encryption will require us to wipe disks clean and start the server setup from ground, so encrypting the storage of the MySQL and web root files would suffice.

So, I am thinking of creating a new partition and moving the apache site root there, along with MySQL data files and have it encrypted with some package/tool.

Now, my questions are straight-forward:

  1. Is my plan correct or there are better solution?
  2. Which package/tool should I be looking out for this scenario?
  3. How can I move the MySQL data folder to the new partition if that's the approach to follow?

Appreciate your time and help, thanks in advance!

Regards,

Emran

Mohammad Emran
  • 195
  • 1
  • 2
  • 8

4 Answers4

5

The first thing to remember is that the consultant isn't the one bearing the burden here in terms of both performance and bother. Unattended reboots will no longer be possible, and to avoid security compromises, there should be very few users who have the encryption password that allows the reboot. Blanket recommendations for encryption are often misplaced.

Data encryption protects against one specific attack scenario, and it's probably not the most likely vulnerability. Data encryption protects you against an attacker who physically walks out with your data drives. If you're concerned about this scenario, consider better physical safeguards - locking panels on the front of the rack, for instance.

Data Encryption does not usually provide much protection against an attacker who compromises your web app over the wire. An attacker is most likely to have at least the same privileges as your web app, which include reading and writing to the database, even if it is encrypted on the disk.

Don't forget to account for the performance hit this is going to cause to your MySQL database. Reading and writing to the encrypted disks will be significantly slower. If you are already running into performance issues, this is likely to break things horribly.

MadHatter and JanC have given you good advice. As JanC said, it is possible to do this without wiping the machine, but for your purposes it doesn't sound necessary.

One other thing you need to remember to do is to encrypt your swap partition. To do that, you'll need to disable swap, reboot to make it go away, securely delete the swap partition, encrypt it, re-enable swap, and then restart the machine. I'm not quite sure how to set this up in Debian, but you'll need to enter the password fairly early in the boot process.

If you fail to encrypt the swap partition (and your /tmp dir and any other locations to which your apps may write), portions of your sensitive data will get written unencrypted to disk.

Paul McMillan
  • 1,219
  • 1
  • 8
  • 17
  • Very good point about having the swap encrypted. And /tmp can be placed in RAM to close the gap. – halp Oct 15 '10 at 23:54
3

I think your plan is broadly correct; encrypting a partition will provide you with a chunk of encrypted-secure storage without the pain of reinstalling the whole machine.

Note that this machine will no longer be useful if booted unattended. It will boot, as the root partition will be unencrypted, but it won't be able to start mysql; you have to manually enter the encryption password at each reboot. You could certainly script it, but then the encryption password is stored on the machine and that really defeats the object of the exercise. So be sure you want to do this, before you do it.

I wrote up a fairly detailed tech note on how I did it, which you can read at http://www.teaparty.net/technotes/crypto-fs.html if you're interested. The work was done on fedora, but it's not fedora-specific.

Once you've set up the encrypted partition, you just use "cp" or "mv" to get the files onto it, and usually link them through from their old location (/var/lib/mysql, or wherever).

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • 1
    +1 for the howto page. Nice! I would only add one thing: Don't forget to securely wipe the original unencrypted data files from the source partition(s) once everything is working in the new configuration. Simply deleting the original files is not good enough, since they could be recovered by scanning the disk. Use `shred` on the files, or preferrably something like DBAN on the entire source partition, if feasible. – Steven Monday Oct 15 '10 at 19:14
3

Full disk encryption is best done with cryptsetup & LUKS. The easiest way to set this up is when you do a new install; there is an option in the installer that will take care of everything for you.

If that's not an option, you'll have to do it manually. There are several tutorials to be found on the web, e.g. here.

Alternatively, you can also do file-based encryption using eCryptFS (whether or not that's good enough depends on what you try to protect against).

JanC
  • 398
  • 2
  • 5
2

I'd start by asking your consultant what the disk encryption is supposed to protect against. All it'll do is (if you've set it to require a passphrase to decrypt) is stop people getting to the data if they steal the system. It won't protect the data while the system is running - if you need to do that then this is the wrong approach.

If you do encrypt then you need to ensure you encrypt 3 things:

  1. The data disks/partitions
  2. The swap partition
  3. The /tmp partition (and other temporary file storage that the web server may use)

This debian guide may help you get started. To be slightly lazy I'd probably suggest having one small encrypted partition you need a passphrase to unlock that holds keys to unlock all the other partitions. It'll be easier than typing multiple passwords on boot.

Finally, check your current CPU and I/O loads. If you're already running heavily loaded then you probably don't have the spare capacity required. You may need to look to changing your hardware platform or upgrading it.

Cry Havok
  • 1,845
  • 13
  • 10