1

A CentOS 7 web server needs encryption at rest. I would like to use LUKS encryption for this, but I need direction to plan how. Can I use LUKS encryption to encrypt the entire drive as one unit on a live web server?

IMy ISP told me that I need to retain two unencrypted partitions, one as the boot partition, and the other to allow CentOS 7 to establish state for the OS. I am thus told that only additional partitions would be encrypted. How do I determine which file system elements to retain in the OS-state partition, and which file system elements to move to an encrypted partition or partitions?

I would like to use virtualbox to set up two CentOS 7 virtual machines on the server.

1.) The first virtual machine would host web apps that have https and smtp connectivity to the internet.

2.) The second virtual machine would host the MySQL databases for the first virtual machine. And the second virtual machine would ONLY be able to connect with the first virtual machine, not with any other computers, devices, networks, or machines, etc.

So then do I have four partitions? 

1.) boot partition (how big?)  
2.) OS state partition (how big and what is in it?)
        a.) Is virtualbox running here or in an encrypted partition?
3 & 4) Are the two virtual machines each in their own encrypted partitions?
        Or are the virtual machines bundled into one encrypted partition  
        with the virtualbox program?

To start answering the question of what goes in which partition, I navigated the terminal to cd / and typed ls -al to show everything in the root directory of the server as follows: 

[user@domain /]$ ls -al
total 108
.
..
.autorelabel
bin -> usr/bin
boot
crd
dev
etc
home
import
lib -> usr/lib
lib64 -> usr/lib64
media
mnt
opt
proc
.readahead
root
run
sbin -> usr/sbin
srv
sys
tmp
usr
var

Do the folders listed in ls -al for the / directory include everything in all partitions? If not, what else is there on the hard drive and how do I find it? Also, how do we plan to segregate all possible disk elements into partitions in a scheme for LUKS encryption?

CodeMed
  • 315
  • 1
  • 8
  • 21
  • Who said that you needed anything other than `/boot` to be unencrypted? Why would you need something else unencrypted? – Michael Hampton Aug 28 '15 at 19:50
  • @MichaelHampton The ISP customer support rep said that the OS needs to be able to establish state using an unencrypted partition. Also, separately, remember that this is a production web server, if that has any bearing. – CodeMed Aug 28 '15 at 19:52
  • If it's to be a production server, why on earth would you be using VirtualBox? And the only unencrypted partition necessary is `/boot` itself. – Michael Hampton Aug 28 '15 at 19:57
  • Are planning to run virtualbox for a production server important enough you are considering encrypted partitions? Also what is it you will be hosting that needs encryption? – J.Zimmerman Aug 28 '15 at 20:00
  • @MichaelHampton I am only leasing one dedicated server box, and the data has to be EXTREMELY secure. So I figured I would put the database in a VM. – CodeMed Aug 28 '15 at 20:01
  • @J.Zimmerman Very sensitive data. The web interface is actually through a VPN. – CodeMed Aug 28 '15 at 20:03
  • Very sensitive data on the file system? Mysql databases? Apache access logs? Applications logs? You really only need to encrypt the file system with LUKS where that data sits. A key can be created to mount the encrypted disk at boot, but it that is stolen along with your encrypted disk (like stealing the whole vm) some one else can decrypt your disk/filesystem. Being prompted for a passphrase at boot is the other option. A good answer will tackle your specific data encryption needs and not necessarily the question about whether or not to encrypt /boot and /. – J.Zimmerman Aug 28 '15 at 20:11
  • @J.Zimmerman The file system may contain sensitive data in addition to the database. This is not limited to the log files, which contain, among other things, query logs providing glimpses of what is in the database. Deeper layers of encryption will deal with some of this, but I want the OS and file system itself to be encrypted to protect against omissions at deeper layers, and to provide an extra layer through which an attacker would have to pass before getting to deeper encryption. This question is about the levels of encryption that LUKS can provide. – CodeMed Aug 28 '15 at 20:25
  • @MichaelHampton The server is located in an ISP. I would be encrypting it via SSH. This is why the OS needs to establish state with unencrypted file system elements. So the problem is how to get all log files, data, and user created files in an encrypted partition. Sorry I was not clear about this earlier. – CodeMed Aug 29 '15 at 19:10
  • I don't know if CentOS has provisions for this, but Debian has methods to configure a method to enter the passphrase for the root filesystem via SSH, so after a reboot you can login via ssh to the initrd environment and enter the passphrase. The system will then continue booting from the encrypted disk. – Sig-IO Nov 12 '15 at 10:58

1 Answers1

0

Ok, for extremely secure data you must not use a virtual OS. Point.

The host by nature has access to your memory, that's why. In fact, it's rather the host's one.

However, I get you do this because you want to work with the data rather than just store it. I suggest a middleware component to do the encryption/decryption in memory, so writing is done encrypted only. I.e. use a database that supports this or pipe it through gpg. Hence, full disk enc is not necessary if you care on what may be tampered to get your key.

chicks
  • 3,793
  • 10
  • 27
  • 36
Christian
  • 1