This article was based on a post made on the EC2 Ubuntu group.Anything that is not stored on an EBS volume that is mounted to the instance will be lost.įor example, if you mount your EBS volume at /mystuff, then anything not in /mystuff will be lost. How do you solve your data security challenges on EC2? If you have swap enabled, anything in memory could be saved in the clear to disk whenever the operating system feels like it. ![]() ![]() For example, sensitive information might be stored in /tmp, /etc, or log files on the root disk. This article does not attempt to cover all of the possible security considerations you might need to take into account for data leakage on disks. Keeping your data private is important, but it’s also important that you know how to get it back in the case of problems. Study the cryptsetup documentation carefully so that you understand what is going on. See the documentation on crypttab and consider adding a line like: crypt-sda2 /dev/sda2 /PASSPHRASEFILE luks It is possible to auto-mount the encrypted disk on reboot if you are willing to put your passphrase in the root partition (almost ruins the point of encryption). See “ man cryptsetup” for info on adding keys and getting information from the LUKS disk header. You’re now to free to place files on /mnt knowing that the content will be encrypted before it is written to the hardware disk.Īfter reboot, /mnt will appear empty until you re-mount the encrypted partition, entering your passphrase: sudo cryptsetup luksOpen /dev/sda2 crypt-sda2 Mount the file system on the encrypted block device: sudo mount /mnt Update /etc/fstab and replace the /mnt line (or create a new line for an EBS volume): fstabentry='/dev/mapper/crypt-sda2 /mnt xfs noauto 0 0' Remember your passphrase! It is not recoverable! Sudo cryptsetup luksOpen /dev/sda2 crypt-sda2 Sudo apt-get install -y cryptsetup xfsprogsīefore you continue, make sure there is nothing valuable on /mnt because we’re going to replace it! sudo umount /mntĮncrypt the disk and create your favorite file system on it: sudo luksformat -t xfs /dev/sda2 Install tools and kernel modules: sudo apt-get update This walkthrough uses the /mnt ephemeral storage, but you can replace /mnt and /dev/sda2 with appropriate mount point and device for 64-bit instance types or EBS volumes. It has been tested on the 32-bit Ubuntu 9.10 Jaunty server AMI listed on and should work on other Ubuntu AMIs and even other distros with minor changes. The rest of this article presents a simple way to set up a level of encryption at the block device level using cryptsetup/LUKS. You can place any file system you’d like on top of the encrypted block interface and neither your application nor your file system realize that the hardware disk never sees unencrypted data. This can even be used on top of an s3fs file system letting you store encrypted data on S3 with ease.īlock device level. This includes useful packages like encfs which transparently encrypt files before saving to disk, presenting the unencrypted contents in a virtual file system. If you use this approach, make sure that you don’t store the unencrypted information on the disk before encrypting it.įile system level. This includes tools like GnuPG, freely available on Ubuntu in the gnupg package. There are a few levels where encryption can take place:įile level. This, even though they take pains to ensure that disk blocks are wiped between uses by different customers, and they implement policies which restrict access to disks even by their own employees. ![]() Over the years, Amazon has repeatedly recommended that customers who care about the security of their data should consider encrypting information stored on disks, whether ephemeral storage ( /mnt) or EBS volumes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |