How to protect your data
It is considered a situation when intruders (pioneers) can get your server for detailed study.
The solution is built on LVM and encryption using LUKS .
Linux Volume Manager (LVM) is a very powerful data volume management system for Linux. It allows you to create logical volumes on top of physical partitions (or even unbroken hard drives), which in the system itself will be visible as regular block devices with data (that is, as regular partitions). The main advantages of LVM are that, firstly, one group of logical volumes can be created on top of any number of physical partitions, and secondly, the size of logical volumes can be easily changed during operation. In addition, LVM supports snapshots, on-the-fly partitioning and mirroring like RAID-1.
The device-mapper dm-crypt module implements the crypt method of mapping a virtual block device (/ dev / mapper / luks-UID) to a underlying block device (possibly also virtual) or a file (using a loopback) with user-transparent encryption using Linux 2.6 cryptoapi. For encryption, an algorithm and a symmetric encryption method (AES), a key, and a mode for generating the initial vector are specified. When writing to the created virtual device, the data is encrypted before writing to the underlying block device, when reading from a new device, the previously encrypted data is read from the underlying block device and decrypted. The format of service information coincides with the format of cryptoloop. Can work over a loop device (encrypted file system in file). The file system on the virtual device is created in the usual way.
')
The system is installed in the desired configuration. In my case, a not very (even very not very) powerful computer with Ubuntu and PostgreSQL as a DBMS. We put support for LVM and cryptsetup. Below all the commands naturally as root .
Set the encryption on the partition we need (I have / dev / sda3 followed by the name bblab1s )
Mounts an encrypted partition
Create a physical volume on it
vgcreate bblab / dev / mapper / bblab1s
Cut logical volumes into it (size indicated after -L )
We carry out the format of the sections we need
I found it necessary to hide swap, / tmp, / var / log /, / var / lib / postgresql, / home . In /boot/grub/grub.cfg where there is linux ... we add text nomodeset options so that everything loads in text mode. I also set up an openssh-server for ssh and acpi-support to shut down the power button. Block an entry in .bash_history.txt , for example, by making it read-only or in any other way. After that, you can disconnect everything from the computer. I only have the computer itself, the power cord and the network.
When you turn on the computer is a clean system, you can go on the network and do something about it. But now you need to work with PostgreSQL or run KDE via neatx-server , and under it on VirtualBox, with some terribly expensive program. You write sms or call in skype or google, to that distant person who knows passwords and sits in a country with a big bureaucracy. He, for example, through the ssh terminal in his android executes the following commands on your server.
Mounts an encrypted partition (here he must enter a password on it)
Stops PostgreSQL and synchronizes disks.
Mounts the necessary partitions and starts PostgreSQL.
Everything can work. After the computer is turned off, for example by a button, the enemies will not find anything, it will even be very difficult for them to understand that there may be something there.
Of course, you can do without an external person and become the weakest link. To do this, you can use the following script
Linux Volume Manager (LVM)
Bog BOS: Block Device Encryption in Linux (dm-crypt, LUKS, cryptsetup)
main idea
- Put good encryption on physical volumes.
- Inclusion of the necessary services through a network.
- The weakest link is a person, and it's good if someone who knows passwords is far from a server, for example in another country.
- Studying the hard drives should show the usual system, i.e. nothing and still a big unformatted piece of hard drive.
Implementation
The solution is built on LVM and encryption using LUKS .
Linux Volume Manager (LVM) is a very powerful data volume management system for Linux. It allows you to create logical volumes on top of physical partitions (or even unbroken hard drives), which in the system itself will be visible as regular block devices with data (that is, as regular partitions). The main advantages of LVM are that, firstly, one group of logical volumes can be created on top of any number of physical partitions, and secondly, the size of logical volumes can be easily changed during operation. In addition, LVM supports snapshots, on-the-fly partitioning and mirroring like RAID-1.
The device-mapper dm-crypt module implements the crypt method of mapping a virtual block device (/ dev / mapper / luks-UID) to a underlying block device (possibly also virtual) or a file (using a loopback) with user-transparent encryption using Linux 2.6 cryptoapi. For encryption, an algorithm and a symmetric encryption method (AES), a key, and a mode for generating the initial vector are specified. When writing to the created virtual device, the data is encrypted before writing to the underlying block device, when reading from a new device, the previously encrypted data is read from the underlying block device and decrypted. The format of service information coincides with the format of cryptoloop. Can work over a loop device (encrypted file system in file). The file system on the virtual device is created in the usual way.
')
The system is installed in the desired configuration. In my case, a not very (even very not very) powerful computer with Ubuntu and PostgreSQL as a DBMS. We put support for LVM and cryptsetup. Below all the commands naturally as root .
Set the encryption on the partition we need (I have / dev / sda3 followed by the name bblab1s )
cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/sda3Mounts an encrypted partition
cryptsetup luksOpen /dev/sda3 bblab1sCreate a physical volume on it
pvcreate /dev/mapper/bblab1svgcreate bblab / dev / mapper / bblab1s
Cut logical volumes into it (size indicated after -L )
lvcreate -L 32G -n swap bblablvcreate -L 16G -n tmp bblablvcreate -L 1000G -n varps bblablvcreate -L 16G -n varlg bblablvcreate -L 256G -n home bblabWe carry out the format of the sections we need
mkswap /dev/bblab/swapmkfs.ext4 /dev/bblab/tmpmkfs.ext4 /dev/bblab/varpsmkfs.ext4 /dev/bblab/varlgmkfs.ext4 /dev/bblab/homeI found it necessary to hide swap, / tmp, / var / log /, / var / lib / postgresql, / home . In /boot/grub/grub.cfg where there is linux ... we add text nomodeset options so that everything loads in text mode. I also set up an openssh-server for ssh and acpi-support to shut down the power button. Block an entry in .bash_history.txt , for example, by making it read-only or in any other way. After that, you can disconnect everything from the computer. I only have the computer itself, the power cord and the network.
When you turn on the computer is a clean system, you can go on the network and do something about it. But now you need to work with PostgreSQL or run KDE via neatx-server , and under it on VirtualBox, with some terribly expensive program. You write sms or call in skype or google, to that distant person who knows passwords and sits in a country with a big bureaucracy. He, for example, through the ssh terminal in his android executes the following commands on your server.
Mounts an encrypted partition (here he must enter a password on it)
cryptsetup luksOpen /dev/sda3 bblab1Stops PostgreSQL and synchronizes disks.
service postgresql stopsyncsleep 5Mounts the necessary partitions and starts PostgreSQL.
swapon /dev/bblab/swapmount /dev/bblab/tmp /tmpchmod ugo+rwxt /tmpmount /dev/bblab/varlg /var/log/mount /dev/bblab/varps /var/lib/postgresqlmount /dev/bblab/home /homeservice postgresql startEverything can work. After the computer is turned off, for example by a button, the enemies will not find anything, it will even be very difficult for them to understand that there may be something there.
Ps.
Of course, you can do without an external person and become the weakest link. To do this, you can use the following script
#! /bin/shcryptsetup luksOpen /dev/sda3 bblab1service postgresql stopsyncsleep 5swapon /dev/bblab/swapmount /dev/bblab/tmp /tmpchmod ugo+rwxt /tmpmount /dev/bblab/varlg /var/log/mount /dev/bblab/varps /var/lib/postgresqlmount /dev/bblab/home /homeservice postgresql startLinks
Linux Volume Manager (LVM)
Bog BOS: Block Device Encryption in Linux (dm-crypt, LUKS, cryptsetup)
Source: https://habr.com/ru/post/240097/
All Articles