Linux – Approaches for Linux server disk encryption

disk-encryptionencryptionlinuxtpm

What are the approaches available for fully encrypting a disk on a remote server (say, colocated in a datacenter)? On Windows, we can just turn on Bitlocker with a TPM. Then the server can reboot, and attacking either requires taking the machine while live and dumping RAM, or breaking the TPM. On Linux, what's available?

So far, I've found an IBM "blueprint" describing how to store dm-crypt keys in the TPM. Is this the best approach?

http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaai/tpm/liaaitpm_pdf.pdf

Best Answer

To understand the best solution to your issue you need to clarify what you are trying to achieve. In other words, what's your threat-model? Who is your attacker? You mention that to get around the encryption would require 'taking the machine while live' (by which I assume you mean hacking it), but that is the most likely scenario for a colocated server. Disk encryption is mainly of use in the case of physical theft.

You also need to consider what data are you protecting. You mention 'fully encrypting a disk', but does this require encrypting e.g. /usr? If you're running a standard distribution there is nothing of interest there. Without knowing more about what the server will contain it's hard to make recommendation.

But to give a more concrete suggestion, consider the following hypothetical server. It contains the following:

A simple website showing some products
A basic CRUD order application written in Rails/Django/whatever
A Postgres DB for customer information and orders

Of those components, only the database really needs protecting, so here's how I'd approach this:

Leave most of the machine un-encrypted (but make as much of the FS read-only as possible)
Create a separate partition for the database and encrypt it with a strong password using any of the available Linux encryption system (ecryptfs, etc).
After each reboot, login and mount the partition with the key, which is stored elsewhere.
On a reboot have the server alert me

You mention TPM, but TPM doesn't help you in a number of cases, such as if an attacker gains administration privileges. TrueCrypt have rejected support for TPM for this reason.

Related Solutions

Windows XP Full Disk Encryption – What are the options

Why, TrueCrypt!

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Using TrueCrypt Without Administrator Privileges

In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows.

After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any type of TrueCrypt volume, load/save data from/to it, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

Domain access is after the pre-boot login.

However, if the user needs to change the password and the employer expects to know that password, it is a matter of the employer trusting the user/employee.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Windows XP Full Disk Encryption – What are the options

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic