Data Encryption

Revision as of 21:47, 15 May 2014 by Bill (Talk | contribs)

There are a number of options for data encryption for secure server hosting, however, for Shared Hosting or CPanel style hosts encryption options are very limited. For Dedicated/VPS hosting, administrator's have the option of encrypting the entire disk or encrypting portions where sensitive file data will be stored. We will explore both approaches, noting benefits and downsides for both.

Whole Disk Encryption

The major issue with whole disk encryption is that a reboot will require the entry of a password before the system is mounted. To be able to do this your provider would need to give access to the machine via a KVM, which allows remote access to a keyboard console as the machine boots. This is a non-standard setup and some providers may charge additional fees for it.

The significant benefit to whole disk encryption that if the machine is seized by outside parties they will have no access to the operating system or disk itself. this means that no data on the machine will be leaked in that eventuality.

  1. The [|Linux Unified Key System(LUKS)] also for both full and partial disk encryption. The benefit of encrypting the entire disk is that it prevents leakage of ancillary information such as usernames, installed applications, process etc. An indepth tutorial for LUKS setup can be found here and a simpler one can be found here

Data Store Encryption

An alternative to whole disk encryption is to encrypt specific portions of the disk containing the most sensitive data that must be protected. This could be a Solr or Elasticsearch instance or a database instance, such as MySQL.

This removes the need for entry of a boot password on reboot but it does leave any elements of the disk not encrypted open to access if the machine is seized or compromised.

  1. The tool Encfs runs in the user space and allows the creation of encrypted partitions. these partitions can be mounted once the system has been booted. The encrypted partitions can be defined at variable sizes and the sensitive datastores and applications can be run from within them once the partition has been mounted.
  2. The LUKS tool can also be set to encrypted only specific partitions and mounted in a similar way to encfs.