Running a web server with an encrypted file system (all or part of it)

I need a webserver (LAMP) running inside a virtual machine (#1) running as a service (#2) in headless mode (#3) with part or the whole file system encrypted (#4).

The virtual machine will be started with no user intervention and provide access to a web application for users in the host machine. Points #1,#2 and #3 are checked and proved to be working fine with Sun VirtualBox, so my question is for #4:

Can I encrypt all of the file system and still access the webserver (using a browser) or will GRUB ask me for a password?

If encrypting all of the file system is not an option, can I encrypt only /home and /var/www? Will Apache/PHP be able to use files in /home or /var/www without asking for a password or mounting these partitions manually?


Solution 1:

If you want full disk encryption, you have to enter the password during the bootphase, which probably is not what you want. I would recommend you create an encrypted partition using luks and put all the sensible data on that partition. After the machine has booted, you can ssh into the box and unlock the partition.

As for how to do the encryption, its very easy:

  • Create the partition as you like
  • Format the partition with luks:

    cryptsetup -c twofish -y luksFormat /dev/sda4
    
  • Unlock the partition with luks:

    cryptsetup luksOpen /dev/sda4 encwww
    
  • Format the encrypted partion with a fs of your choice:

    mkfs.ext3 /dev/mapper/encwww
    
  • You are done and can now mount /dev/mapper/encwww

To unlock the partition again after a reboot you need to do:

cryptsetup luksOpen /dev/sda4 encwww

and then mount the partition.

Solution 2:

cryptsetup and dm-crypt isnt available on standard-linux-distributions and it is quite an exotic solution, you should try doing it the normal way:

modprobe loop
modprobe cryptoloop
modprobe aes

dd if=/dev/urandom of=/yourContainerFile bs=`expr 1024 \* 1024 \* 1024` count=yourSizeInGigaBytes

losetup -e aes-256 /dev/loop0 /yourContainerFile

mkfs.ext3 /dev/loop0

aaand now you're ready to mount /dev/loop0 wherever you like - strong encryption, done correctly; you could even config your fstab in a way which allows the encryption-key to be read from a USB-stick which has to be plugged in @ boot ... way more flexible AND secure --> Never follow guides which use "twofish" or something similar as encryption ... this algorithm is not yet fully analyzed, nobody knows if it is secure.

Oh and : if you want security beyond the scope and power of secret agencys : use

/dev/random

instead. The entropy-gathering daemon of Linux delivers statistically "good" values, but it is very slow.

And if you're really paranoid, buy yourself a device which is able to receive & measure cosmic background radiation, connect it to your computer and let it write to /dev/random :-D