1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

Encrypting a New Device - Part I

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

The following process that I'm about to show you will work for any device that can be presented to your system. If you plug in a USB drive to your Linux system, create a new virtual disc for your Linux VM, or present a virtual volume to your Linux Cloud Instance, you can use this process. It's important to point out that what we're about to do will remove all the data that exists on that device. I have a virtual machine here and what I'm going to do is present a physical or I guess a virtual disc to it, in this instance. So again, I'm gonna make sure it's powered off, I'm gonna go to the settings of that machine. I'm going to add some storage here. Just create a new hard disc device. We'll create a new disc and we'll leave it at eight gigabyte, that's fine. Again, this would be the equivalent of physically putting another disc inside a server. So now I'm gonna power that server on. Okay, now the system is booted and I'm going to go ahead and log into it here. We need the cryptsetup utility in order to set up luks and encryption on our system. And it doesn't look like it's currently installed on this one. So typically I would just search for the software here. It's CentOS seven or a real seven equivalent machine and I'm just going to use yum search cryptsetup. And then I can see that the package name here is cryptsetup. I do believe on earlier versions, such as red hat six and CentOS six it's cryptsetup dash luks. So I'm going to go ahead and install cryptsetup now. We also attach the disc before we boot it up, let's run fdisc dash l to list the devices in our system and see if we can find out what device file is associated with our disc. Here, dev/sda, which is already being used, is 85 gig. That's not it, but if you look below that dev/sdb is about an eight gigabyte drive which is the size of the disc that we presented to this system. So the device is dev/sdb for this new disc that we installed. If you want to ensure that no un-encrypted data is left on the device that we're about to encrypt let's fill it with random data. Doing so will also conceal or obscure the parts of the device that contain encrypted data as opposed to just random data. To do this, we'll use a utility like shred. I'll do shred dash V, which is for verbose, dash N, which is the number of iterations. And I'll do just one. We'll those pass over this device once, and we'll supply the file here, dev/sdb. What this command is doing is writing random data to that disc. Next, we're going to initialize the device. To do that, I'll run sudo cryptsetup luxsFormat and then pass it that device. This'll go ahead and ask us for our passphrase here. Now that it's initialized we can go ahead and open the device. We'll run cryptsetup luxsOpen and pass the device to it which is slash dev slash sdb in this case, and a name that will be used to create the virtual block device in slash def mapper. So we'll just use opt as an example. Supply the passphrase that opens the device, and now we should have a virtual block device in dev mapper. Let's just look at the last few entries there. You can see that the virtual block device was created in slash dev slash mapper slash opt. Now we can use that virtual block device like any other block device. I'm going to go ahead and just put a file system directly on that device. So we'll run mkfs, we'll make it an ext4 file system. We'll run that on that device there. Okay, that's created. So, now let's go ahead and mount our file system, on slash opt. I'll create an entry in the Fs tab for it, dev mapper opt. We're going to mount it on slash opt. It's an ext4 file system, we don't need any specialized mounting options, and that will be our entry there. So we can go ahead and mount that device. And when we look there, we can see that opt is mounted on slash dev slash mapper slash opt. Now, when we create files and place them in opt they will be encrypted. From this point on, we use the file system like we normally would and allow luxs and DM crypt to handle the encryption. Here, I'll just create a simple little file. Oops, I need permission here. We'll do it like this. In order for the device to be mounted at boot time we'll need to make an entry in slash etc slash crypt tab. This will cause you to be prompted for the passphrase during the boot process, so the device can be opened. The first piece of information we need to supply is the name that we used, and here we used opt, so we'll just place this here. And that will be the virtual block device that gets created in slash dev slash mapper. Next we need to supply the underlying block device. Here, it's slash dev slash sdb. The next field in this file is for the passphrase but we can specify none here and that will force us to be prompted for the password on boot. The last column here is for options and we're just going to use the luks standard format. So we'll type in luks there go ahead and write and save that file. Also want to point out that the crypt tab supports the UUID equals UUID syntax just like the Fs tab file does here. And you can get that information by running blkid and then you can see the UUID, so these blocked devices. And then the one we're looking for is the cryptid the crypto luks device which is in this case, slash dev slash sdb. So if you wanted to use this format instead of supplying slash dev slash sdb in the crypt tab file, you would instead supply UUID equals two one one two five, et cetera, et cetera there. This is probably a better option for removable devices that you can't guarantee will have the same physical device file associated with it at each boot. So now that we have the crypt tab set up let me just go ahead and quickly show you that it will ask for the password when we perform a reboot. There it is, it's asking for our password. I'll go ahead and enter it. Quickly log in here, and you can see that opt is mounted on that virtual block device file of slash dev slash mapper slash opt. Let's say you didn't want to automatically mount this volume on boot, but instead you want to use this device for a while and then stop using it. So let's go ahead and remove its entry from etc crypt tab. I'll just comment it out there and also remove it from fstab. Again, I'll just place a comment there and let's go ahead and reboot.

About the Author