1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

Disk Encryption

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

If you don't want someone to easily read or alter the data on your system's disk, then you should encrypt it. When you encrypt your data it looks like a large blob of random data. For example, if you were to encrypt the text, letmein123 it might look like the seemingly random series of letters and numbers displayed on your screen. The OS can operate on this nonsensical data. So after you encrypt your data you need to allow the operating system and its applications access to that data in a way that can be understood by them. In short, the OS needs access to the decrypted or unlocked form of that data. To unlock the encrypted data, a user needs to supply some sort of secret information. This can be a passphrase or a key file. In some cases, this passphrase or key is used to encrypt and decrypt the data. In other cases, it's used to unlock the master key that is used to do the actual encryption and decryption. In any case, it's stored in memory for as long as the encrypted device is mounted. If you're going to use a passphrase, it's important to point out the significance of that passphrase. This passphrase or password is the weak link. If it's an easily guessed password then the encryption is useless. So don't write the passphrase on a sticky note and post it on the front of your server. And don't use easy to guess and common passwords like one, two, three, four, five, six and let me in. Dm-crypt which stands for device mapper crypt is a kernel level encryption subsystem that provides transparent disk encryption. That means that the files are available immediately after mounting a file system that resides on a dm-crypted device. Dm-crypt creates a new block device in /dev/mapper. Any writes to that device will be encrypted and any reads will be decrypted because dm-crypt encrypts blocked devices the encryption is happening below the file system layer. This means that you can use a dm-crypted device just like you would any other block device. You can put a file system directly on that block device or you can use it as part of an LVM, Logical Volume Manager setup. You don't have to worry about encrypting or decrypting. It's transparent to you as a user or system administrator once the initial setup is performed. Here is a diagram that illustrates this concept. Starting at the bottom, the physical block device, the disk is accessed through its device file located at /dev/sda2. If you configure that device to be a dm-crypted device, a new virtual block device file would be created. And this example that devices /dev/mapper/home. That virtual block device could be used like any other block device. Here we created an EXT4 file system directly on that device. Finally, that file system was mounted on /home. When you create a file in /home the file system will take care of all the details of how to store that file on the underlying block device of /dev/mapper/home. Any writes to /dev/mapper/home are encrypted by dm-crypt and written to the underlying physical disk. This is totally transparent. The file system doesn't need to know anything about the encryption. It just used a virtual block device like any other block device. The encryption and decryption is taken care of by dm-crypt. Writes are encrypted by dm-crypt and reads are decrypted by it. LUKS which stands for Linux Unified Key Setup is a standard for Linux disk encryption and is compatible across different distributions. LUKS is really a front-end for dm-crypt. Instead of using dm-crypt directly to set up disk encryption, you'll want to use LUKS. LUKS allows you to use multiple, up to eight at the time of this recording passphrases. These passphrases are used to decrypt the master key which is actually used to perform the encryption. These passphrases can be changed as well as revoked without having to reencrypt all the data stored on the encrypted device. LUKS stores all the required setup information in the partition header of the encrypted device which enables you to transport or migrate data seamlessly from one Linux distribution to another. If you would like to encrypt a USB drive or some other removable media, LUKS can be used to protect those devices. You don't have to just use LUKS on permanent storage devices. If your chosen distro has an option to set up encryption during install, this can be the easiest way to go. The price you pay for this convenience is not having complete configuration control over the process. However, the defaults are usually good and work for the overwhelming majority of situations. The CentOS and Red Hat installers have a checkbox to encrypt data on the disk during the installation process. You can see the little check box on the lower left-hand side of the screen. After you've clicked that check box, you'll need to provide a passphrase. It also asks you to confirm your passphrase. Here's what it looks like after the installation is done and when you boot the system. You have to provide that passphrase or the system will not boot. The process for Ubuntu is very similar. Here you select the option to set up encryption. Next you'll need to enter a passphrase. Ubuntu does a really great job of telling you how important this passphrase is. You'll want to use a strong passphrase and remember it. On boot, you'll be prompted for the passphrase in order to unlock your data and finish booting the system.

About the Author