Disk encryption in Debian
I have a Debian Lenny server running a production application. Recently, we are being asked by a consultant to enable disk encryption for data security. He believes full disk encryption will require us to wipe disks clean and start the server setup from ground, so encrypting the storage of the MySQL and web root files would suffice.
So, I am thinking of creating a new partition and moving the apache site root there, along with MySQL data files and have it encrypted with some package/tool.
Now, my questions are straight-forward:
- Is my plan correct or there are better solution?
- Which package/tool should I be looking out for this scenario?
- How can I move the MySQL data folder to the new partition if that's the approach to follow?
Appreciate your time and help, thanks in advance!
Regards,
Emran
The first thing to remember is that the consultant isn't the one bearing the burden here in terms of both performance and bother. Unattended reboots will no longer be possible, and to avoid security compromises, there should be very few users who have the encryption password that allows the reboot. Blanket recommendations for encryption are often misplaced.
Data encryption protects against one specific attack scenario, and it's probably not the most likely vulnerability. Data encryption protects you against an attacker who physically walks out with your data drives. If you're concerned about this scenario, consider better physical safeguards - locking panels on the front of the rack, for instance.
Data Encryption does not usually provide much protection against an attacker who compromises your web app over the wire. An attacker is most likely to have at least the same privileges as your web app, which include reading and writing to the database, even if it is encrypted on the disk.
Don't forget to account for the performance hit this is going to cause to your MySQL database. Reading and writing to the encrypted disks will be significantly slower. If you are already running into performance issues, this is likely to break things horribly.
MadHatter and JanC have given you good advice. As JanC said, it is possible to do this without wiping the machine, but for your purposes it doesn't sound necessary.
One other thing you need to remember to do is to encrypt your swap partition. To do that, you'll need to disable swap, reboot to make it go away, securely delete the swap partition, encrypt it, re-enable swap, and then restart the machine. I'm not quite sure how to set this up in Debian, but you'll need to enter the password fairly early in the boot process.
If you fail to encrypt the swap partition (and your /tmp dir and any other locations to which your apps may write), portions of your sensitive data will get written unencrypted to disk.
I think your plan is broadly correct; encrypting a partition will provide you with a chunk of encrypted-secure storage without the pain of reinstalling the whole machine.
Note that this machine will no longer be useful if booted unattended. It will boot, as the root partition will be unencrypted, but it won't be able to start mysql; you have to manually enter the encryption password at each reboot. You could certainly script it, but then the encryption password is stored on the machine and that really defeats the object of the exercise. So be sure you want to do this, before you do it.
I wrote up a fairly detailed tech note on how I did it, which you can read at http://www.teaparty.net/technotes/crypto-fs.html if you're interested. The work was done on fedora, but it's not fedora-specific.
Once you've set up the encrypted partition, you just use "cp" or "mv" to get the files onto it, and usually link them through from their old location (/var/lib/mysql, or wherever).
Full disk encryption is best done with cryptsetup & LUKS. The easiest way to set this up is when you do a new install; there is an option in the installer that will take care of everything for you.
If that's not an option, you'll have to do it manually. There are several tutorials to be found on the web, e.g. here.
Alternatively, you can also do file-based encryption using eCryptFS (whether or not that's good enough depends on what you try to protect against).