How to protect your data

We consider a situation where attackers (well-intentioned) can get your server for a detailed study.

main idea


  • Put good encryption on physical volumes.
  • Enabling the necessary services through the network.
  • The weakest link is a person, and it is good if the one who knows the passwords is located far from the server, for example, in another country.
  • Studying hard drives should show a conventional system, i.e. nothing else and a large, unformatted piece of the hard drive.


Implementation


The solution is built on LVM and encryption using LUKS .

Linux Volume Manager (LVM) is a very powerful data volume management system for Linux. It allows you to create logical volumes on top of physical partitions (or even unbroken hard drives), which in the system itself will be visible as ordinary block devices with data (i.e., as usual partitions). The main advantages of LVM are that, firstly, one group of logical volumes can be created on top of any number of physical partitions, and secondly, the size of logical volumes can be easily changed directly during operation. In addition, LVM supports a snapshot mechanism, on-the-fly copying of partitions, and mirroring like RAID-1.

The dm-crypt module from the device-mapper set implements the crypt method for mapping a virtual block device (/ dev / mapper / luks-UID) to a downstream block device (possibly also virtual) or a file (using loopback) with user-transparent encryption using Linux 2.6 cryptoapi. For encryption, the algorithm and method of symmetric encryption (AES), key, and the initial vector generation mode are specified. When writing to the created virtual device, data is encrypted before being written to the underlying block device; when reading from a new device, previously encrypted data is read from the underlying block device and decrypted. The overhead format is the same as the cryptoloop format. It can work on top of a loop device (encrypted file system in a file). The file system on the virtual device is created in the usual way.

The system is installed in the configuration you need. In my case, a not very (even not very) powerful computer with Ubuntu and PostgreSQL as a DBMS. We put support for LVM and cryptsetup. Below all the commands are naturally root .

We install encryption on the partition we need (I have / dev / sda3 followed by the name bblab1s ) Mounts the
cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/sda3
encrypted partition
cryptsetup luksOpen /dev/sda3 bblab1s
Create a physical volume on it
pvcreate /dev/mapper/bblab1s
vgcreate bblab / dev / mapper / bblab1s
Cut logical volumes on it (the size is specified after -L )
lvcreate -L 32G -n swap bblab
lvcreate -L 16G -n tmp bblab
lvcreate -L 1000G -n varps bblab
lvcreate -L 16G -n varlg bblab
lvcreate -L 256G -n home bblab
We format the ones we need
mkswap /dev/bblab/swap
mkfs.ext4 /dev/bblab/tmp
mkfs.ext4 /dev/bblab/varps
mkfs.ext4 /dev/bblab/varlg
mkfs.ext4 /dev/bblab/home
I considered it necessary to hide the partitions swap, / tmp, / var / log /, / var / lib / postgresql, / home . IN/boot/grub/grub.cfg where there is linux ... add text nomodeset options so that everything loads in text mode. I also install openssh-server for ssh login and acpi-support for shutting down the power button. We block the entry in .bash_history.txt , for example by making it read-only or in any other way. After that, you can disconnect everything from the computer. All I have left is the computer itself, the wire from the outlet and the network.

When you turn on the computer there is a clean system, you can access it via the network and do something. But here you needed to work with PostgreSQL or run through neatx-server KDE, and under it onVirtualBox Windows with some terribly expensive program. You write SMS or call skype or google, that distant person who knows passwords and sits in a country with a lot of bureaucracy. He, for example, through the ssh terminal in his android executes the following commands on your server.

Mounts an encrypted partition (here it must enter a password on it)
cryptsetup luksOpen /dev/sda3 bblab1

Stops PostgreSQL and synchronizes disks
service postgresql stop
sync
sleep 5

Mounts the necessary partitions and starts PostgreSQL.
swapon /dev/bblab/swap
mount /dev/bblab/tmp /tmp
chmod ugo+rwxt /tmp
mount /dev/bblab/varlg /var/log/
mount /dev/bblab/varps /var/lib/postgresql
mount /dev/bblab/home /home
service postgresql start
Everything can work. After turning off the computer, for example, by a button, the enemies will not find anything, it will even be very difficult for them to understand that something is possible there.

PS.


Of course, you can do without an external person and become the weakest link. To do this, use the following script
#! /bin/sh

cryptsetup luksOpen /dev/sda3 bblab1
service postgresql stop
sync
sleep 5

swapon /dev/bblab/swap
mount /dev/bblab/tmp /tmp
chmod ugo+rwxt /tmp
mount /dev/bblab/varlg /var/log/
mount /dev/bblab/varps /var/lib/postgresql
mount /dev/bblab/home /home
service postgresql start

References


Linux Volume Manager (LVM)
Bog BOS: Linux block device encryption (dm-crypt, LUKS, cryptsetup)

Also popular now: