Introduction
LUKS (Linux Unified Key Setup) volume encryption is used for all disks connected to CAcert servers. Generic information about LUKS can be found at http://code.google.com/p/cryptsetup/.
Encryption at system installation time
When installing a new operating system on a disk, encryption must be setup during that installation. Debian GNU/Linux 4.0 (Etch) allows for this. The following choices should be made during the installation process:
- Partition disks: Guided - use entire disk and setup encrypted LVM
- Partitioning scheme: All files in one partition (recommended for new users)
- Really use block device encryption? Yes
- Encryption passphrase: use a secure passphrase unique for each disk
The passphrase should not be recorded in any digital system, but only written down on paper and given out to critical system administrators only. One copy should be given to CAcert Board for escrow purposes.
Encryption of additional system disks
When adding an extra disk to a system, encryption must be setup before putting data on the disk. The following procedure can be followed:
- partition the disk:
- if the disk is never to be used for booting, create a single large data partition
- if the disk needs to be bootable, create one small boot partition (which will not be encrypted), and one large data partition (which will be encrypted)
- measure speed for randominzing 100 MB of the disk:
# dd if=/dev/urandom of=/dev/hdc5 bs=1024k count=100
- initialize the large data partition (assume its name is /dev/hdc5) with random data:
# dd if=/dev/urandom of=/dev/hdc5 bs=1024k
- this will take a very long time, you can calculate from the size of the disk and the timing above how long; measured on 172.28.50.6 has been 1.689 MB/sec, i.e. ~53 hours for 320 GB)
- (you can inspect the progress by a kill -USR1 pid-of-dd-process)
- (NOTE: there should be a faster way to do this, since the Debian installer can do it faster; need to investigate how it does it)
- initialize LUKS on the large data partition:
# cryptsetup luksFormat /dev/hdc5
- (will prompt twice for passphrase, use the passphrase of hda5)
- open the large data partition through LUKS:
# cryptsetup luksOpen /dev/hdc5 hdc5_crypt
- (will prompt again for passphrase)
- add the new encrypted partition to /etc/crypttab:
# vi /etc/crypttab
- add a line for hdc5_crypt similar to the line for hda5_crypt, so the result becomes:
hda5_crypt /dev/hda5 none luks hdc5_crypt /dev/hdc5 none luks
- now you can use LVM to use the encrypted partition in any way desired, e.g.
# pvcreate /dev/mapper/hdc5_crypt # vgcreate newvg /dev/mapper/hdc5_crypt # lvs # lvcreate -n newvol -L 200G newvg # pvs; vgs; lvs # mke2fs -j /dev/mapper/newvg-newvol
Other notes
general user page: HardDriveEncryption.
from cryptogram 20090215: There's a new hard drive encryption standard, which will make it easier for manufacturers to build encryption into drives. Honestly, I don't think this is really needed. I use PGP Disk, and I haven't noticed any slowdown due to having encryption done in software. And I worry about yet another standard with its inevitable flaws and security vulnerabilities.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9126869&taxonomyId=19&intsrc=kc_top or http://tinyurl.com/dgrton
http://arstechnica.com/hardware/news/2009/01/hard-drive-manufacturers-unveil-disk-encryption-standard.ars or http://tinyurl.com/a9qn7p
http://www.theregister.co.uk/2009/01/30/tcg_encryption_standards/
Perceptive comment about how the real benefit is regulatory compliance: http://www.schneier.com/blog/archives/2009/02/hard_drive_encr.html#c347372 or http://tinyurl.com/c8qegx
also from cryptogram 20090215: The Doghouse: Raidon's Staray-S Encrypted Hard Drives. Turns out the algorithm is linear.
http://www.heise-online.co.uk/security/Cracking-budget-encryption--/features/112548 or http://tinyurl.com/ctbquo
When you're buying security products, you have to trust the vendor. That's why I don't buy any of these hardware-encrypted drives. I don't trust the vendors.