Disk encryption is an important tool in the arsenal of every IT professional. Unfortunately, like many encryption solutions, it can be difficult to deploy. Information on up-to-date tools and techniques can be hard to find, and it's important to use encryption solutions correctly if they are going to offer any security.

wl-encryption-1.png

With a virtual private server (VPS), disk encryption comes with some caveats. It can't provide the high levels of security that you might get with an encrypted laptop, or any other machine where you can control physical access. However, it still provides a useful layer of protection. There are two major points of security risk when relying on disk encryption with a VPS:

  • The cloud provider has physical access to the server, which means that any actively-used encryption keys may be accessible through physical memory or hard disk swap space.
  • All encryption keys are transferred over the cloud provider's network. This risk can be mitigated by using SSH or other encrypted network protocols.

In this tutorial, we will deploy encrypted volumes on a CenturyLink Cloud Compute server running Ubuntu Linux. Since we don't offer an interactive terminal during the VPS bootup, we won't be able to encrypt the root volume for the server. However, we will add new volumes to a server and show you how to configure encryption for them.

Tools Used

CenturyLink Cloud Compute servers are high-performance cloud servers. These enterprise-grade virtual machines are easy to deploy and manage from the CenturyLink Cloud Control Portal and via our powerful REST API.

Before We Start

If you don’t have a CenturyLink Cloud account yet, head over to our website and sign up for a free trial. You’ll need it to access CenturyLink Cloud Compute servers.

Deploy a New Virtual Server

The first step is to deploy a new CenturyLink Cloud virtual server. Follow the steps below.

  1. Log into the CenturyLink Cloud Control Portal.
  2. From the Navigation Menu, click Infrastructure > Servers.
  3. On the left-hand side of the server panel, click on the region in which you want to provision the server.
  4. Click Create > Server.
  5. Fill out the form for your new server.
  6. For Operating System, select Ubuntu 16 | 64-bit.
  7. Click Create Server.
  8. Your server provisioning request enters the queue. You can watch the progress of the request on screen. The server is provisioned when the status of all tasks in the queue are complete.

    wl-encryption-2.png

  9. After the new server is provisioned, in the Control Portal, click Infrastructure > Servers.

  10. Navigate to the region in which you provisioned the server and click on the server name.
  11. On the menu bar, click more > add public ip.
  12. Check the box for SSH/SFTP (22).
  13. Click add public ip address.

Adding Disk Volumes

To add a volume for encryption, follow the steps below.

  1. Log into the CenturyLink Cloud Control Portal.
  2. From the Navigation Menu, click Infrastructure > Servers.
  3. Navigate to the region in which you provisioned the server and click on the server name.
  4. In the server pane, scroll down to the DISKS section.
  5. Click edit storage.
  6. In the drop-down menu, click add storage > partition.
  7. Enter a mount point in the PATH box, for example, /encrypted-data. Note: Remember this mount point for later.
  8. In the SIZE box, enter a size for the encrypted partition.
  9. Click apply.

Installing and Configuring Disk Encryption Tools

Next, we need to log into the new virtual server and install the necessary tools for disk encryption.

  1. Log into the CenturyLink Cloud Control Portal.
  2. From the Navigation Menu, click Infrastructure > Servers.
  3. Navigate to the region in which you provisioned the server and click on the server name.
  4. On the right hand side of the Server Status page, look for IP ADDRESS(ES). Your server's public IP address will be underlined.
  5. From a shell or terminal on your local machine, connect to your new server with the following command. Replace YOUR.VPS.IP in the example below with your server's public IP address.

    shell
    ssh [email protected]
    
  6. Install the required Ubuntu packages with the following commands.

    shell
    apt update
    apt install -y cryptsetup
    
  7. Run the following commands to load the required kernel modules and ensure they are loaded at boot time.

    shell
    for i in sha256 dm_crypt; do
      modprobe $i
      echo $i | sudo tee -a /etc/modules
    done
    

Encrypting Your New Volume

Now your virtual server is set up to encrypt and format volumes. Before we can encrypt the new volume though, we need to find out how it's attached to the VPS. Follow these steps to find your volume's device name.

  1. From the shell prompt on your server, run the following command:

    shell
    mount
    
  2. The output lists all devices and their mount points. It will be verbose. Near the bottom is a device mounted on the mount point you specified when you set up your additional disks. In the following example, the device name is /dev/sdd. Note: Record this for later.

    example
    /dev/sdd on /encrypted-data type ext4 (rw,relatime,data=ordered)
    
  3. Now, unmount the unencrypted volume so we can encrypt it. Run the following command, replacing /dev/sdd with your device name.

    shell
    umount /dev/sdd
    

Encrypting the Device

Once you know the device name and have unmounted it, we are ready to encrypt. Remember that encrypting the device destroys all data on the device. If you've been using it for anything else, make a backup before proceeding!

We will be using Advanced Encryption Standard. To learn more about AES-256, read this article.

  1. From the shell prompt, run the following to encrypt the device with AES-256. Be sure to replace /dev/sdd with your device name.

    shell
    cryptsetup --verify-passphrase luksFormat -c aes -s 256 -h sha256 /dev/sdd
    
  2. Follow the prompts. When asked for a passphrase, enter a passphrase used to encrypt the device. Remember this passphrase! Without it, you will NOT be able to access any data on your encrypted partition.

  3. Run the following command to register your encrypted disk with the kernel. Replace /dev/sdd with the name of your device.

    shell
    cryptsetup luksOpen /dev/sdd encrypted-data
    
  4. When it asks for a passphrase, enter the passphrase you used to encrypt the device in Step 2.

  5. Run the following command to format your disk.

    shell
    mkfs -t ext4 -O dir_index,filetype /dev/mapper/encrypted-data
    
  6. Finally, mount the encrypted disk with this command.

    shell
    mkdir -p /encrypted-data
    mount /dev/mapper/encrypted-data /encrypted-data
    

Everything in your /encrypted-data directory is now encrypted using AES-256.

Registering the Encrypted Volume Across Boots

One annoyance of encrypted disks is that they require a passphrase during the registering and mounting process. This means that they cannot be mounted automatically during system boot. However, you can modify the system configuration to make mounting the volumes after boot a simpler process. Follow these commands to update your virtual server's configuration.

  1. From the shell prompt, open /etc/fstab with a text editor.
  2. Locate the line containing your encrypted device's mount point. It will look similar to this:

    example
    UUID=04bdf2f5-8361-405a-bdfb-73ed9f14f3e6   /data   ext4   defaults,nofail   0 0
    
  3. Comment that line out by adding a 1#1 at the beginning of it.

  4. Open /etc/crypttab with a text editor.
  5. Add the following line at the end of the file. Replace /dev/sdd with the name of your encrypted device.

    example
    encrypted-data     /dev/sdd    none    luks,noauto
    

Register and Mount an Encrypted Device

After a system boot, your encrypted storage will need to be registered manually. This may seem tedious and inconvenient, but it ensures that the correct passphrase is needed to decrypt and access the secure contents. To register and mount your encrypted device, follow these steps.

  1. To register your encrypted volume, run the following command at the shell prompt.

    shell
    cryptdisks_start encrypted-data
    
  2. Enter your encrypted volume's passphrase at the Enter passphrase: prompt.

  3. To mount your encrypted volume, run the following command.

    Note: when successful, the Mount command produces no output.

    shell
    mount /dev/mapper/encrypted-data /encrypted-data
    

Note: CenturyLink Cloud sends you an email notification if your server reboots. If you are using encrypted volumes for critical tasks, it is important to watch for these emails.

Next Steps

Encrypted volumes can be used for more than just storage. Linux also makes it possible to create encrypted swap partitions, which helps keep memory regions secure. In fact, encryption is vital across almost all aspects of IT security, so it makes sense to learn more about it. You can start with this quick introduction to encryption and data security, and there are lots of other resources available on the web.

Sign-up for our Developer-focused newsletter CODE. Designed hands-on by developers, for developers. Keep up to date on topics of interest: tutorials, tips and tricks, and community building events.

We’re a different kind of cloud provider – let us show you why.