Running a web server with an encrypted file system (all or part of it)

linux virtual-machine filesystems encryption webserver

6,545

Solution 1

If you want full disk encryption, you have to enter the password during the bootphase, which probably is not what you want. I would recommend you create an encrypted partition using luks and put all the sensible data on that partition. After the machine has booted, you can ssh into the box and unlock the partition.

As for how to do the encryption, its very easy:

Create the partition as you like

Format the partition with luks:

cryptsetup -c twofish -y luksFormat /dev/sda4

Unlock the partition with luks:
```
cryptsetup luksOpen /dev/sda4 encwww
```
Format the encrypted partion with a fs of your choice:
```
mkfs.ext3 /dev/mapper/encwww
```
You are done and can now mount /dev/mapper/encwww

To unlock the partition again after a reboot you need to do:

cryptsetup luksOpen /dev/sda4 encwww

and then mount the partition.

Solution 2

cryptsetup and dm-crypt isnt available on standard-linux-distributions and it is quite an exotic solution, you should try doing it the normal way:

modprobe loop
modprobe cryptoloop
modprobe aes

dd if=/dev/urandom of=/yourContainerFile bs=`expr 1024 \* 1024 \* 1024` count=yourSizeInGigaBytes

losetup -e aes-256 /dev/loop0 /yourContainerFile

mkfs.ext3 /dev/loop0

aaand now you're ready to mount /dev/loop0 wherever you like - strong encryption, done correctly; you could even config your fstab in a way which allows the encryption-key to be read from a USB-stick which has to be plugged in @ boot ... way more flexible AND secure --> Never follow guides which use "twofish" or something similar as encryption ... this algorithm is not yet fully analyzed, nobody knows if it is secure.

Oh and : if you want security beyond the scope and power of secret agencys : use

/dev/random

instead. The entropy-gathering daemon of Linux delivers statistically "good" values, but it is very slow.

And if you're really paranoid, buy yourself a device which is able to receive & measure cosmic background radiation, connect it to your computer and let it write to /dev/random :-D

6,545

Gaff

Updated on September 17, 2022

Comments

Gaff over 1 year

I need a webserver (LAMP) running inside a virtual machine (#1) running as a service (#2) in headless mode (#3) with part or the whole file system encrypted (#4).

The virtual machine will be started with no user intervention and provide access to a web application for users in the host machine. Points #1,#2 and #3 are checked and proved to be working fine with Sun VirtualBox, so my question is for #4:

Can I encrypt all of the file system and still access the webserver (using a browser) or will GRUB ask me for a password?

If encrypting all of the file system is not an option, can I encrypt only /home and /var/www? Will Apache/PHP be able to use files in /home or /var/www without asking for a password or mounting these partitions manually?
- Admin about 14 years
  
  why do you want to do this?
- Admin about 14 years
  
  ship an image to customer with sensible data - our client wants this data to be accessible only through the web browser
- Admin about 6 years
  
  You might also want to consider encrypting the area of the file system where your website database is stored. I am assuming, of course that your site uses a database, as many kinds do, e.g. Wordpress, Drupal and other framework/cms. The database process, e.g. from mysql or maria will store the db in the file system as files somewhere. +1 Nice question.
- Admin about 6 years
  
  You might also want to consider encrypting your swap as well. Here is an example: askubuntu.com/questions/463661/…
Breno Macena over 10 years

Based on your answer, I don't see what's preventing a rogue process that has gained root access from running those commands and seeing your sensitive data. Can you explain?
Breno Macena over 10 years

According to en.wikipedia.org/wiki/Cryptoloop, dm-crypt prevents a certain vulnerability (watermarking) that is seen with cryptoloop. What are your thoughts on that?
urmurmur over 10 years

@trusktr no the process would not, because it does not know the password. But after you enter your password it would be able to read all the files. If you have a rootkit on your computer you have of course far more problems at hand.
therobyouknow about 6 years

+1 Nice answer, I will apply that for my own needs. I will also consider how to encrypt the area where the database is stored and feedback if I can. This matter seems like it will become more pertinent given forthcoming GDPR legislation.
SaidbakR about 6 years

@TimSchumacher So every time the server is need to reboot, the sudo password is needed to mount or to decrypt the content, does not it?