Using filesystem encryption with eCryptfs

The eCryptfs filesytem is implemented as an encryption/decryption layer interposed between a mounted filesystem and the kernel. The data is encrypted and decrypted automatically at filesystem access. It can be used for backup or sensitive files placement for transportable or fixed storage mediums. In this recipe we will install and demonstrate some of eCryptfs, capabilities.

Getting ready

All steps will be performed on nodeorcl1.

How to do it...

eCryptfs is shipped and bundled with the Red Hat installation kit.

  1. The eCryptfs package is dependent on the trouser package. As root user, first install the trouser package followed by installation of the ecryptfs-util package:
    [root@nodeorcl1 Packages]# rpm -Uhv trousers-0.3.4-4.el6.x86_64.rpm 
warning: trousers-0.3.4-4.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...                ########################################### [100%]
   1:trousers               ########################################### [100%]
[root@nodeorcl1 Packages]# rpm -Uhv ecryptfs-utils-82-6.el6.x86_64.rpm 
warning: ecryptfs-utils-82-6.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...                ########################################### [100%]
   1:ecryptfs-utils         ########################################### [100%]
  2. Create a directory that will be mounted with the eCryptfs filesystem and set the oracle user as the owner:
    [root@nodeorcl1 ~]# mkdir /ecryptedfiles
[root@nodeorcl1 ~]# chown -R oracle:oinstall /ecryptedfiles
  3. Mount /ecryptedfiles to itself using the eCryptfs filesystem. Use the default values for all options and use a strong phassphrase as follows:
    [root@nodeorcl1 hashkeys]# mount -t ecryptfs /ecryptedfiles /ecryptedfiles
Select key type to use for newly created files: 
 1) openssl
 2) tspi
 3) passphrase
Selection: 3
Passphrase: lR%5_+KO}Pi_$2E
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [d395309aaad4de06]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=d395309aaad4de06
  ecryptfs_key_bytes=16
  ecryptfs_c
ipher=aes
  ecryptfs_sig=d395309aaad4de06
Mounted eCryptfs
[root@nodeorcl1 hashkeys]#
  4. Switch to the oracle user and export the HR schema to /ecryptedfiles directory as follows: 
    [oracle@nodeorcl1 ~]$ export NLS_LANG=AMERICAN_AMERICA.AL32UTF8
[oracle@nodeorcl1 ~]$ exp system file=/ecryptedfiles/hr.dmp owner=HR statistics=none

Export: Release 11.2.0.3.0 - Production on Sun Sep 23 20:49:30 2012

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.

Password: 

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Export done in AL32UTF8 character set and AL16UTF16 NCHAR character set

About to export specified users ...
.............................................................................................................................
. . exporting table                      LOCATIONS         23 rows exported
. . exporting table                        REGIONS          4 rows exported
. ....................................................................................................................
. exporting post-schema procedural objects and actions
. exporting statistics
Export terminated successfully without warnings.
[oracle@nodeorcl1 ~]$
  5. If you open the hr.dmp file with the strings command, you will be able to see the content of the dump file:
    [root@nodeorcl1 ecryptedfiles]# strings hr.dmp | more
...........................................................................................................................................................
CREATE TABLE "COUNTRIES" ("COUNTRY_ID" CHAR(2) CONSTRAINT "COUNTRY_ID_NN" NOT NULL ENABLE, "COUNTRY_NAME" VARCHAR2(40), "REGION_ID" NUMBER,  CONSTRAINT "COUNTRY_C_ID_PK" PRIMARY KEY ("COUNTRY_ID") ENABLE ) ORGANIZATION INDEX  PCTFREE 10 
INITRANS 2 MAXTRANS 255 STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT) TABLESPACE "EXAMPLE" NOLOGGING NOCOMPRESS PCTTHRESHOLD 50
INSERT INTO "COUNTRIES" ("COUNTRY_ID", "COUNTRY_NAME", "REGION_ID") VALUES (:1, :2, :3)
Argentina
Australia
Belgium
Brazil
Canada
  6. Next as root unmount /ecryptedfiles as follows:
    [root@nodeorcl1 /]# unmount /ecryptedfiles/
  7. If we list the content of the /ecryptedfile directory now, we should see that the file name and content is encrypted:
    [root@nodeorcl1 /]# cd /ecryptedfiles/
[root@nodeorcl1 ecryptedfiles]# ls
ECRYPTFS_FNEK_ENCRYPTED.FWbHZH0OehHS.URqPdiytgZHLV5txs-bH4KKM4Sx2qGR2by6i00KoaCBwE--
[root@nodeorcl1 ecryptedfiles]#
[root@nodeorcl1 ecryptedfiles]# more ECRYPTFS_FNEK_ENCRYPTED.FWbHZH0OehHS.URqPdiytgZHLV5txs-bH4KKM4Sx2qGR2by6i00KoaCBwE-- 
…………………………………………………………………………………………………………………………………
9$Eî□□KdgQNK□□v□□
S□□J□□□h□□□PIi'ʼn□□R□□□□□siP□b □`)3□W­□W(
□□□□c!□□8□E.1'□R□7bmhIN□□--(15%)
 ………………………………………………………………………………………………………………………………….
  8. To make the file accessible again, mount the /ecryptedfiles filesystem by passing the same parameters and passphrase as performed in step 3.

How it works...

eCryptfs is mapped in the kernel Virtual File System (VFS), similarly with other filesystems such as ext3, ext4, and ReiserFS. All calls on a filesystem will go first through the eCryptfs mount point and then to the current filesystem found on the mount point (ext4, ext4, jfs, ReiserFS). The key used for encryption is retrieved from the user session key ring, and the kernel cryptographic API is used for encryption and decryption of file content. The communication with kernel is performed by the eCryptfs daemon. The file data content is encrypted for each file with a distinct randomly generated File Encryption Key (FEK); FEK is encrypted with File Encryption Key Encryption Key (FEKEK) resulting in an Encrypted File Encryption Key (EFEK) that is stored in the header of file.

There's more...

On Oracle Solaris you can implement filesystem encryption using the ZFS built-in filesystem encryption capabilities. On IBM AIX you can use EFS.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.184.90