Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Would You Implement Site-Wide File Encryption?

Posted by EditorDavid on from the news-for-network-operators dept.

Recently-leaked CIA documents prove that encryption works, according to the Associated Press. But how should sys-admins implement site-wide file encryption? Very-long-time Slashdot reader Pig Hogger writes: If you decide to implement server-level encryption across all your servers, how do you manage the necessary keys/passwords/passphrases to insure that you have both maximum uptime (you can access your data if you need to reboot your servers), yet that the keys cannot be compromised... What are established practices to address this issue?
Keep in mind that you can't change your password once the server's been seized, bringing up the issue of how many people know that password. Or is there a better solution? Share you suggestions and experiences in the comments. How would you implement site-wide file encryption?

24 of 151 comments (clear)

  1. Virtual Private Raid by Zemran · · Score: 2, Interesting

    I wish that someone would develop a version of raid for use with servers. Have 3 VPSs in Switzerland, Russia and Holland and each one gets only a 3rd of each file. The chances of any government seizing all 3 is zero.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    1. Re: Virtual Private Raid by Zemran · · Score: 2

      It can be RAID as high as you like as RAID 10 could still be hosted on 3 servers. The idea is to make any one site irrelevant but the data secure.

      --
      I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    2. Re: Virtual Private Raid by flargleblarg · · Score: 3

      But the chance of losing your data is triple.

      I was about to say, "That's not how probability works!" but it turns out that you are actually correct.

      If each site has a 1% chance of being seized, then it means each site has a 99% chance of not being seized. Multiplying these probabilities together gives .99^3 = .970299 or about a 97.03% chance that no site will be seized — which means that you've got about a 3% chance of having one or more site seized.

      The key here is that 1 – (1 – x)^3 is very close to 3x for small x.

    3. Re:Virtual Private Raid by Anonymous Coward · · Score: 4, Informative

      I wish that someone would develop a version of raid for use with servers. Have 3 VPSs in Switzerland, Russia and Holland and each one gets only a 3rd of each file. The chances of any government seizing all 3 is zero.

      GlusterFS supports striping across volumes that can be hosted on different servers: https://gluster.readthedocs.io/en/latest/Quick-Start-Guide/Architecture/

    4. Re: Virtual Private Raid by fluffernutter · · Score: 2

      That can end badly unless you are very, very careful. At the least you need a battery backup so the raid can write out in the event of a power outage. I had my mdadm raid kick a drive out of the array when another one failed and it couldn't be brought back in again. Fortunately I was able to revive the drive and get back all but a handful of files but it was scary enough that I wouldn't use software raid again. Hardware raid is worrisome because you need to be able to purchase the same hardware you had before so not wise to do without a support contract.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    5. Re: Virtual Private Raid by Thor+Ablestar · · Score: 2

      1. You could boot the system from the flash drive that is removed after boot. The part of the key resides on the same flash, the second part is entered. It's quite possible to do, at least for FreeBSD. THEY need both a keylogger in a keyboard or bios and a seizure of the boot flash. Additionally there is no place on the disk where THEY could implant a child pornography if THEIR other efforts fail.
      2. You could setup the security system that signals the systems to erase the keys and shutdown on intrusion so you can be sure that your keyboard is not compromised after you buy it.
      3. I've read somewhere (maybe on Slashdot or Habrahabr.ru) that there exists an open source utility to check the authenticity of your BIOS. So BIOS keyloggers can also be caught.

    6. Re:Virtual Private Raid by ckatko · · Score: 2

      I used to run a secure, encrypted server... until I took an arrow to the knee...

    7. Re:Virtual Private Raid by GameboyRMH · · Score: 3, Informative

      Sounds like Tahoe-LAFS.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    8. Re:Virtual Private Raid by PhunkySchtuff · · Score: 2

      What you want for this is some variation on Shamir's Secret Sharing algorithm. Yes, he's the Shamir in RSA.
      https://en.wikipedia.org/wiki/...
      What this does is break a secret up into n different parts, but unlike raid, you can break it up in such a way that there is a threshold for the number of parts required to reconstruct the secret. So, for example, you could break a secret up into 6 parts and specify that any 4 parts will reconstruct the original data. If you have only 3 parts, then the secret is completely unknown (not just partially known).

      --
      Specialist Mac support for creative pros, Melbourne
  2. Full Spectrum Problem by packrat0x · · Score: 3, Insightful

    The choices include encrypting files (tar/gz/bz archives), directories, whole user directories, whole physical volumes, whole logical volumes, etc. One large enrypted volume means single point of failure: One key/password gives access to every file. More divisions means more keys/passwords, but less access if one is compromised. Therefore, server level encryption is appropriate if one person is responsible for the entire contents on the server(s).

    --
    227-3517
    1. Re:Full Spectrum Problem by currently_awake · · Score: 2

      Ensure that ONLY the users of the data have the keys, with all encryption/decryption done on the users computer. If the users computer is compromised they already have full access, but there is no reason to give the server farm maintainers access. Have different keys for each user of the system. A shared drive/folder with shared keys can allow easy file transfers between users, because if you don't make it easy they will use sneakernet or email to transfer unencrypted files.

    2. Re:Full Spectrum Problem by Pig+Hogger · · Score: 2

      I’ve been thinking about a “tilt” switch for servers; as soon as you move the server, bang! it shuts down at once.

    3. Re: Full Spectrum Problem by Aaron+B+Lingwood · · Score: 2

      Usb devices? The os, and therefore you, decides what happens when usb devices connect.

      Nope. USB operates at a lower level than the OS. USB is capable of talking to other pieces of hardware without the OS's involvement (or knowledge). USB even has Direct Memory Access.

      Usb is not a magic backdoor, unless your os is seriously flawed.

      Yes it is. Many OSes even cooperate by providing APIs for forensic/diagnostic/recovery tools that operate via USB.

      Most oses will not autoexec something on an usb stick, for example.

      Most oses will not autoexec something on a valid USB stick. The BIOS will though. And just because something is connected via USB doesn't mean it has to tell the truth about what it is. The stick could present as a drive AND a keyboard, with the keyboard inputting commands to run a file on the drive.

      The USB can be used to dump memory (and keys) using various methods, the simplest but least effective method is the Cold Boot Attack. DMA Attacks have become more straightforward with USB 3.1 as the controller now has DMA instead of just the PCI it is connected to.

      --
      [Rent This Space]
  3. LUKS by Anonymous Coward · · Score: 2, Interesting

    - Linux servers
    - LUKS full-disk encryption
    - All network traffic tunneled tunneled through some form of SSL (e.g. SSH or OpenVPN) with client authentication, and a decent IDS.
    - Tiny custom binary in the initramfs that loads the "password" (a random 1024 bit binary string) from a USB serial device
    - BIOS boot options locked down (no removable media boot, password required to change settings)
    - Arduino with 6x AA batteries for power backup, a 3-axis accelerometer/gyro, an ambient light sensor & the sensor from an optical mouse, riveted to the inside of the chassis' outer shell, with a small hole in the bottom of the case for the optical sensor.
    - As long as the Arduino is undisturbed (i.e. registers no movement or sudden change in lighting level) it will provide the decryption key on request, so the server can boot up unattended.
    - As soon as the Arduino registers a disturbance (e.g. somebody moves or opens the computer case to reset the BIOS) it wipes the key from RAM and for the next boot you need to fetch a non-volatile copy of the key from a safety deposit box.

    You can seize the servers, but by doing so you effectively render the data inaccessible, and nobody's going to remember the random 1024-bit binary string you need to decrypt one of them.

    1. Re: LUKS by johnwallace123 · · Score: 2

      That sounds really complex, and potentially expensive as the number of devices scales. Also, fragile and difficult to maintain.

      The easiest way is just use LUKS and a secure passphrase.

      If you want to restrict knowledge of the passphrase to admins but allow users to reboot, that's a harder problem. However, If you have a TPM chip, you can use it to secure a random LUKS passphrase that unlocks only in a verified clean boot. You'll need trustedGRUB and tpm-luks, but it does secure against fairly sophisticated attacks. It even allows someone to have physical access to the machine WITHOUT having total access.

      If you're concerned about the CIA/NSA/FBI/TLA coming into your space and performing a cold boot attack, this won't help, but then again, there are very few technological defenses against a determined nation state adversary.

  4. Trying to draw the specification for this or not . by burni2 · · Score: 5, Interesting

    If you decide to implement server-level encryption across all your servers,

    This is basically simple you can build a server that does all encryption in ram, meaning the OS is loaded once then the encryption key is used to have it decrypt the content for the outside.

    To stop tempering you could setup such a server yourself and equip it with various sensors that detect presence of people or tempering, and if detected it could shut down not compromising the encryption key to forensics.

    Firewire(because of its DMA) needs to be disabled and unkown devices need to trigger a shut down event and must otherwise be ignored

    con:
    However this type of server would still emit the key data as radio spectrum.

    con2:
    The requesters question is quite sketchy, I suggest writting a specification first with the neccessary "must haves" and possible use cases.

    my iscsi-encryption approach
    So I can only explain my private approach, I got a root server with big harddrives and those harddrives are exported via iscsi that iscsi-connection is tunneled through ssh.

    I de-/encrypt & mount the drives only on my home server and sync the directories with rsync. The harddrives are double encrypted meaning I have two encryption devices and two dependend keys.

    This sounds slow, but it isn't I get nearly the full upload bandwith of my connection.

    Meaning my root server never "knows" what data is backed up on it - its a "dumb" server

    I would suggest a similar approach for the requesters situation, because it solves a first step, separating the encryption key from the encrypted data.

    And a second step having two encryption keys making it more difficult to get all two if separated (which is contrary to my use case)

    I would expand my approach there to have a "data" server, a level1 encryption server and a level2 encryption server.

    level1 decryptes the first encryption layer and level2 does it with the data provided by level1

    Usecase:
    If only the data server is seized, shut down at least one of the intermediate servers along with its key and the data is inaccessible. And it doesn't matter which "key keeper" server you kill, its a fail-one-fail-all system.

    The drawback is however the level2 encryption server shall not be compromised, because there all pure data is accessible.

    encrypted backup
    With todays highspeed connectivity the servers can be backed up by just cloning the harddrives over iscsi for example, that works quite well.

    another idea
    Most encryption providers from linux and bsd provide the possiblity of having more than one master key.

    Iscsi can also work on image files so you can provide many independed iscsi-volumes and encrpytion can be outsourced to the users computers.

  5. Re:Nothing useful in standard system directories by EmeraldBot · · Score: 3

    Because by encrypting everything, you A. prevent an attacker from knowing the layout and structure of the filesystem and B. prevent anybody from tampering with your binaries without knowing the password. For example, you don't have to worry a police agent alters /bin/ls or so behind your back, and nuking just the bootloader is much easier than trying to replace the entire unencrypted filesystem afterwards.

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  6. It depends what you mean by 'site wide' by Assmasher · · Score: 2

    If you want your files encrypted 'at rest' so that if someone comes and pulls your HDD (or software equivalent) then you can implement a strategy similar to:

    (a)Encrypt all content with individual symmetric keys (one key per piece of content) - prefix each piece of content with a key ID (for key lookup on exit) - there are many ways to associate content with a key - prefixing is just the simplest
    (b)Encrypt those keys (which you'll need stored locally for performance reasons) with a randomly generated one-time pad stored on a removable hardware device (HSM/USB for example)
    (c)Decrypt files as appropriate as they exit your webserver - observe the key ID of the content, ask a process on your machine to give you the symmetric key for that ID, decrypt the content, send it back to the requesting connection.

    Don't store the master key and/or one time pad locally, simply have a daemon/service/long running process on your web server require (at startup) you to plugin your hardware device (e.g. read a file from a mount that is only there when you plug the thing in.) This means that stealing the content doesn't do them much good (if they crack a key it's only for that particular piece of content, they'll have to crack lots of keys), and if they get the locally stored symmetric key file it doesn't do them much good either because you're protecting that with a VERY strong key and/or cipher which is stored air-gapped - they'd have to not only steal all the files involved, they'd have to inject into the service/daemon that issues symmetric keys.

    This type of approach has performance implications of course, and to make it truly close to unbreakable requires more specifics (process injection prevention, signing and impersonation attack prevention, both on the key request side and the service/daemon unlocking scheme, et cetera) - this would be quite a discouraging system to attempt to break.

    My $0.02, YMMV

    --
    Loading...
  7. hire someone by ooloorie · · Score: 4, Insightful

    How Would You Implement Site-Wide File Encryption?

    Hire someone who knows what they are doing. Seriously, if this is for a business, there are lots of complex issues with compliance and audits in addition to availability and the possibility of sabotage. And this causes enough work that you'll probably need to hire someone anyway, so it might as well be someone who knows this stuff.

    Dealing with those requires experience. And the very first thing you need to come to terms with is: what risks are you actually trying to protect against? What tradeoffs are you willing to make and what risks (mainly of data loss) are you willing to accept? How much are you willing to spend on this?

  8. Re:Nothing useful in standard system directories by Thor+Ablestar · · Score: 2

    Because the file /usr/bin/child_pornography.jpg could magically appear out of nowhere if your filesystem is in wrong hands.

  9. Illegal? Could be medical records ... by fygment · · Score: 2

    ... or any other personal confidential data. Or maybe company IP. There's a pretty broad legal use-case if you think about it.

    --
    "Consensus" in science is _always_ a political construct.
  10. Clevis & Tang by npmccallum · · Score: 2

    Disclaimer: I am the author of the following projects. At Red Hat, we have been researching this problem for the last few years. This has resulted in the creation of the Clevis[1] & Tang[2] projects for automating decryption. This currently ships in Fedora and we plan to ship it in a future RHEL release. This project currently supports both root volumes and removable storage, as well as any other data you want to encrypt and then automatically decrypt. We are working on adding support for non-root volumes as well. For a video on the problem of automated decryption and the architecture of Clevis & Tang, see my recent talk at FOSDEM: Securing Automated Decryption[3]. [1]: https://github.com/latchset/cl... [2]: https://github.com/latchset/ta... [3]: https://fosdem.org/2017/schedu...

  11. Turn off IPS/IDS etc. by Drishmung · · Score: 2

    Just turn off all IPD/IDS, firewall and anti-virus. In an hour or so the ransomware should have the entire site thoroughly encrypted.

    --
    Protoplasm. Quiet Protoplasm. I like quiet protoplasm.
  12. So by BitztreamNotARealNam · · Score: 2

    How's life in the hypocrite lane?