Running a web server with an encrypted file system (all or part of it)
Solution 1
If you want full disk encryption, you have to enter the password during the bootphase, which probably is not what you want. I would recommend you create an encrypted partition using luks and put all the sensible data on that partition. After the machine has booted, you can ssh into the box and unlock the partition.
As for how to do the encryption, its very easy:
- Create the partition as you like
Format the partition with luks:
cryptsetup -c twofish -y luksFormat /dev/sda4
Unlock the partition with luks:
cryptsetup luksOpen /dev/sda4 encwww
Format the encrypted partion with a fs of your choice:
mkfs.ext3 /dev/mapper/encwww
You are done and can now mount
/dev/mapper/encwww
To unlock the partition again after a reboot you need to do:
cryptsetup luksOpen /dev/sda4 encwww
and then mount the partition.
Solution 2
cryptsetup and dm-crypt isnt available on standard-linux-distributions and it is quite an exotic solution, you should try doing it the normal way:
modprobe loop
modprobe cryptoloop
modprobe aes
dd if=/dev/urandom of=/yourContainerFile bs=`expr 1024 \* 1024 \* 1024` count=yourSizeInGigaBytes
losetup -e aes-256 /dev/loop0 /yourContainerFile
mkfs.ext3 /dev/loop0
aaand now you're ready to mount /dev/loop0 wherever you like - strong encryption, done correctly; you could even config your fstab in a way which allows the encryption-key to be read from a USB-stick which has to be plugged in @ boot ... way more flexible AND secure --> Never follow guides which use "twofish" or something similar as encryption ... this algorithm is not yet fully analyzed, nobody knows if it is secure.
Oh and : if you want security beyond the scope and power of secret agencys : use
/dev/random
instead. The entropy-gathering daemon of Linux delivers statistically "good" values, but it is very slow.
And if you're really paranoid, buy yourself a device which is able to receive & measure cosmic background radiation, connect it to your computer and let it write to /dev/random :-D
Related videos on Youtube
Gaff
Updated on September 17, 2022Comments
-
Gaff over 1 year
I need a webserver (LAMP) running inside a virtual machine (#1) running as a service (#2) in headless mode (#3) with part or the whole file system encrypted (#4).
The virtual machine will be started with no user intervention and provide access to a web application for users in the host machine. Points #1,#2 and #3 are checked and proved to be working fine with Sun VirtualBox, so my question is for #4:
Can I encrypt all of the file system and still access the webserver (using a browser) or will GRUB ask me for a password?
If encrypting all of the file system is not an option, can I encrypt only
/home
and/var/www
? Will Apache/PHP be able to use files in/home
or/var/www
without asking for a password or mounting these partitions manually?-
Admin about 14 yearswhy do you want to do this?
-
Admin about 14 yearsship an image to customer with sensible data - our client wants this data to be accessible only through the web browser
-
Admin about 6 yearsYou might also want to consider encrypting the area of the file system where your website database is stored. I am assuming, of course that your site uses a database, as many kinds do, e.g. Wordpress, Drupal and other framework/cms. The database process, e.g. from mysql or maria will store the db in the file system as files somewhere. +1 Nice question.
-
Admin about 6 yearsYou might also want to consider encrypting your swap as well. Here is an example: askubuntu.com/questions/463661/…
-
-
Breno Macena over 10 yearsBased on your answer, I don't see what's preventing a rogue process that has gained root access from running those commands and seeing your sensitive data. Can you explain?
-
Breno Macena over 10 yearsAccording to en.wikipedia.org/wiki/Cryptoloop, dm-crypt prevents a certain vulnerability (watermarking) that is seen with cryptoloop. What are your thoughts on that?
-
urmurmur over 10 years@trusktr no the process would not, because it does not know the password. But after you enter your password it would be able to read all the files. If you have a rootkit on your computer you have of course far more problems at hand.
-
therobyouknow about 6 years+1 Nice answer, I will apply that for my own needs. I will also consider how to encrypt the area where the database is stored and feedback if I can. This matter seems like it will become more pertinent given forthcoming GDPR legislation.
-
SaidbakR about 6 years@TimSchumacher So every time the server is need to reboot, the sudo password is needed to mount or to decrypt the content, does not it?