• Home
• About
• Contact
• Applied Trust

The Barking Seal

• Encrypted Storage in the Cloud

  21Apr
  Author: ned Categories: Infrastructure, Security Comments: 3

  The smart folks over at Amazon Web Services just published a new white paper titled Creating HIPAA-Compliant Medical Data Applications. I’m a strong believer that it is possible to deploy Internet applications as securely “in the cloud” as in a private data center somewhere, and vendor documentation like this goes a long way toward helping others grasp this reality.

  One weakness is that the white paper barely mentions encrypting data at rest.  Here’s their accurate but incredibly concise statement:

  HIPAA’s Privacy Rule regulations include standards regarding the encryption of all PHI in
  transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms
  used in a traditional computing environment, such as a local server or a managed hosting
  server, can also be used in a virtual computing environment, such as Amazon EC2 and
  Amazon S3.
  

  Their blog post mentions some software libraries and commercial tools for achieving encryption at rest, but generally leaves any implementation for you to figure out. There are encryption recommendations for software developers and end users, but not for system administrators (aren’t we their key demographic?). Never fear – encrypting your data at risk is easy with Linux! There are many ways to achieve encryption of data when it is stored on disk, but whole-volume encryption is often appealing because it can be implemented completely transparently to the application.

  One of the best tools for securing your data “at-rest” while it is stored on Amazon’s Elastic Block Store (EBS) is dm-crypt. It’s already built into most modern Linux kernels, and gives you extra confidence that noone else could read your EBS volumes. Anyone who’s thinking of deploying any app that stores sensitive information (in “the cloud” or in your data center) should consider implementing dm-crypt on their Linux servers. Below are instructions for creating and using an EBS volume which is protected by dm-crypt encryption…

  Follow these steps to create and mount your encrypted EBS volume – you just need to do them once (per volume!):

  1. Create a new EBS volume of the desired size and in the correct availability zone.  (You could also use ElasticFox for these first two steps):
     % ec2-create-volume -s SIZE_GB -z ZONENAME
     For example,
     % ec2-create-volume -s 2 -z us-east-1c
  2. Attach the EBS volume to your EC2 instance:
     % ec2-attach-volume NEWVOLUMEID -i MYINSTANCEID -d DEVICE
     For example,
     % ec2-attach-volume vol-a51c11cc -i i-8b1118e2 -d /dev/sdd
     (Not sure what your instance ID is?  Try running this command from the instance: wget -O – -q http://169.254.169.254/latest/meta-data/instance-id)
  3. Create a dm-encrypted partition on the EBS volume:
     % sudo cryptsetup create dm-atrust /dev/sdd
     (you will be prompted for a passphrase – user a long, complex one – you won’t have to type it by hand anyway)
  4. Create a new LVM PV (physical volume) on the encrypted partition:
     % sudo pvcreate /dev/mapper/dm-atrust
  5. Create a new LVM VG (volume group) on the LVM PV:
     % sudo vgcreate vg-atrust /dev/mapper/dm-atrust
  6. Create a new LVM LV (logical volume) on the LVM VG:
     % sudo lvcreate -n lv-atrust -L2G vg-atrust
  7. Create a new filesystem on the LVM LV:
     % sudo mkfs -t xfs /dev/vg-atrust/lv-atrust
     (you can use any filesystem, I just like XFS)
  8. Mount and test our your encrypted volume:
     % sudo mount /dev/vg-atrust/lv-atrust /atrust

  Follow these steps to mount an existing encrypted EBS volume:

  1. Attach the EBS volume to your EC2 instance:
     % ec2-attach-volume NEWVOLUMEID -i MYINSTANCEID -d DEVICE
     For example,
     % ec2-attach-volume vol-a51cfccc -i i-8b5938e2 -d /dev/sdd
  2. Mount the dm-encrypted partition:
     % sudo cryptsetup create dm-atrust /dev/sdd
     (You will be prompted for your dm-crypt passphrase – note that dm-crypt doesn’t tell you if you get the passphrase wrong.)
  3. Activate the LVM PV and VG:
     % /sbin/pvscan
     % /sbin/vgscan
     % /sbin/vgchange -a y vg-atrust
  4. Mount and test our your encrypted volume:
     % sudo mount /dev/vg-atrust/lv-atrust /atrust

  Obviously, it’d be quite a hassle to do these steps manually every time. Here is a script you can add to your startup directory to automatically attach and mount the encrypted volume. Setup the volume manually using the steps at the top of this post, then use this script to mount the EBS volume early in the boot process. You’ll need to update everything in-between the “#### change these setttings” lines. Stuck? …let us know in the post comments and we’ll help you out!

  Photo credit: *dans

  
  Tags: cloud computing, encryption, HIPAA, linux

3 Responses

• Cloud Computing - Their Applications and Your Data | Cirrus Nine Says:
  May 20th, 2009 at 7:22 am

  [...] and once again, Amazon shines,  because it gives you control of the operating system and you can encrypt your own data, at the expense of making you responsible for the security of the entire system.  As for Azure,  [...]

• links for 2009-05-21 « Bloggitation Says:
  May 21st, 2009 at 12:04 am

  [...] Encrypted Storage in the Cloud Follow these steps to create and mount your encrypted EBS volume – you just need to do them once (per volume!) (tags: amazon ec2 security crypto sysadmin) [...]

• casandpoint Says:
  May 5th, 2010 at 9:28 pm

  i am running the app in my own data center but want to archive data in aws. would i be able to follow the same steps as above to encrypt the data at rest?

Leave a Comment

Name

Mail (will not be published)

Website

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.