Encrypting Linux root and swap drives
Contents
- Introduction
- Requirements
- Getting ready to encrypt
- Selecting the root and swap disks for encryption
- Using the Linux Root Encryption Debugger
Introduction
In addition to encrypting regular data partitions, you can also encrypt your root and swap partitions. Encrypting root and swap partitions ensures that clear-text data never leaves the VM on its way to storage. This prevents virtualization and storage admins from being able to view the data.
Requirements
A separate boot disk is required on which the HyTrust software will be installed. This allows the system to boot and communicate with HyTrust KeyControl and get the necessary encryption keys. The encryption keys are used to boot and decrypt (on the fly) the Linux root disk / filesystem and encrypt/decrypt swap.
Make sure your version of Linux has a separate boot partition. If it does not you will need to create a separate boot disk.
If the Linux installation does not have separate boot partition, we recommend that you add a new disk device or create a free partition on the existing device. For example say the current Linux is installed on device/dev/sda and the GRUB stage1 bootloader is also installed on /dev/sda - this is a typical Linux installation. Assuming you add a new device named /dev/sdb to hold the new boot partition, you should create a partition on it using fdisk or sfdisk, and copy files from the original /boot filesystem. The method of copying files differs from one version of Linux to another. Please contact HyTrust technical support for technical notes on how to add boot partitions to different Linux versions.
Getting ready to encrypt
First of all, let's see what disks we currently have:
# hcl status Summary -------------------------------------------------------------------------------- KeyControl: 192.168.140.151:443 KeyControl list: 192.168.140.151:443 Status: Connected Registered Devices -------------------------------------------------------------------------------- Disk Name Clear Cipher Status -------------------------------------------------------------------------------- Available Devices -------------------------------------------------------------------------------- Disk Name Device Node Size (in MB) -------------------------------------------------------------------------------- Other Devices -------------------------------------------------------------------------------- Disk Name Device Node Status -------------------------------------------------------------------------------- sda3 /dev/sda3 Mounted (swap) sda2 /dev/sda2 Mounted (/boot) sda1 /dev/sda1 Mounted (/)
You can see that the VM is registered with the KeyControl server (Status shows Connected), there are the root (/) and swap devices that we want to encrypt and you can see that there is a separate boot disk. The root and swap disks are listed under Other Devices since they are in use. Usually, the hcl command is used to add/encrypt disks but root and swap are special cases and require use of the htroot command.
NOTE: Prior to starting the encryption the root disk, we require a reboot. It is imperative that either the IP address of the VM is static, or if you have dynamic IP addresses, you turn off re-authenticate on Change of IP address. For example, in the following figure:
We have a Linux VM called "ubuntu-12.04." If you do not have a static IP address, click the EDIT VIRTUAL MACHINE button and then towards the bottom of the next screen uncheck the Change of IP address button and click Apply. Thus, when the VM reboots it will still be able to authenticate. This is very important to understand. If you do not have a static IP address and the VM reboots during the root encrypt cycle, you could end up with a hung system.
If you fall victim to this problem (you have a dynamic address and you forgot to uncheck the box) you can still do so after the VM reboots.
We strongly recommend that you use static IP addresses (or DHCP with static) when using Linux root encryption.
Selecting the root and swap disks for encryption
Once you are certain that you have network IP address and authentication steps correct, it is time to select the disks for encryption. For this, you use the htroot command. For example, the following set of steps selects both root and swap devices for encryption. Note that it may take a little while to download and install any necessary packages that are needed.
# htroot encrypt Current Root device/ Boot device setup -------------------------------------------------------------------------------- Root device sda1 Root device path /dev/sda1 Boot partition device path /dev/sda3 swap device sda5 swap device path /dev/sda5 -------------------------------------------------------------------------------- Is this information correct? (y/n) y Do you want to encrypt swap? (y/n) y Do you want to enable debug console? (y/n) y Following network interfaces are available -------------------------------------------------------------------------------- eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:fc:94 -------------------------------------------------------------------------------- Select the primary interface: eth0 With encrypted root device, KeyControl needs to be contacted during boot to get the encryption keys. IP address can be obtained using DHCP or can be statically configured now Use DHCP during boot? (y/n) y Setting up system for root device encryption. This operation may take a long time Do you want to proceed? (y/n) y Installing missing packages -------------------------------------------------------------------------------- cryptsetup hashalot initramfs-tools dropbear busybox -------------------------------------------------------------------------------- Please copy the keyfile /etc/initramfs-tools/root/.ssh/id_rsa to another machine This file will be used to access debug console using ssh example: # ssh -i id_rsa root@server.ip.addr Have you copied the key file? (y/n) y Re-structuring HyTrust specific directories Creating new menu entry in grub.conf Changing the "default" menu entry in grub.conf to the newentry Updating initramfs: /boot/initrd.img-3.11.0-12-generic.encrypted Changing /etc/fstab to mount the encrypted root device The system has been updated to encrypt the root device during next boot; please reboot the system now Do you want to reboot the system now? (y/n) y Broadcast message from root@13 (/dev/pts/0) at 17:20 ... The system is going down for reboot NOW! Connection to 192.168.140.133 closed by remote host.
Mostly, you will be confirming steps taken during the process. Once completed, you will be asked to confirm rebooting the system. Once rebooted, HyTrust DataControl will authenticate against the KeyControl server to get the required keys and then start the root encryption process. The length of time taken will depend on the size of the root disk and the type of storage you have. We recommend that you run on a system with AES-NI support which will decrease the amount of time to encrypt significantly.
Please take note of the question asked:
Do you want to enable debug console? (y/n)
We recommend you say y, in which case we will set up SSH access to the running system while encryption is taking place. Since encryption can take a fair amount of time, it is useful to have the ability to SSH to the server and view progress. We shall talk about debug access in the next section.
Once encryption of root has completed, you will be able to log in as you normally do. Subsequent boots take the normal amount of boot/reboot time.
Running hcl status will show that the root and swap disks are now under HyTrust control:
Registered Devices -------------------------------------------------------------------------------- Disk Name Clear Cipher Status -------------------------------------------------------------------------------- sda5 /dev/mapper/clear_sda5 AES-256 Attached '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT sda1 /dev/mapper/clear_sda1 AES-256 Attached '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
Recall that /dev/sda1 is the root device and /dev/sda5 is the swap device.
Here we show the clear path access to each of these devices through the /dev/mapper/clear_ interface.
You should not under any circumstance use the direct /dev/sdb interfaces, as you will be accessing the encrypted devices directly and could cause corruption.
You can also view the encrypted root and swap device through the GUI as with other disks:
Using the Linux Root Encryption Debugger
When the system reboots and starts encryption, you may want to enter the debug session to determine where the system is within the encryption process. You can SSH to the server using the key obtained earlier. For example, here we run SSH and show the menu that is displayed:
# ssh -i id_rsa root@192.168.140.133 Warning: Permanently added '192.168.140.133' (RSA) to the list of known hosts. BusyBox v1.20.2 (Ubuntu 1:1.20.0-8.1ubuntu1) built-in shell (ash) Enter 'help' for a list of built-in commands. HyTrust Debug Console 1. Show HT encryption log file 2. Authenticate 3. Show Network info 4. Restart Network 5. Advanced access 6. logout Action:
The first option is the most important. It will display the encryption status. For example, here are a few of the lines towards the end of the output:
-------------- KeyControl and status ------------------ 192.168.140.151:443 Connected ------------------------------------------------------- -------------- Encryption / Decryption status --------- Root device encryption Processing: 21% Time left: 00:13:53 -------------------------------------------------------
We can see that we are connected to the KeyControl server and that encryption is in progress. At this point, the operation is 21% complete and there are just under 14 minutes left.
You should not need to invoke any of the other operations unless required by HyTrust support.
Once encryption has completed, you will get the login prompt as you normally do.