[Remops] Encrypting Remailer filesystem
Stefan Claas
sac at 300baud.de
Sun May 26 19:14:53 BST 2019
Grant Taylor wrote:
Hi Grant,
> From memory, here's what I did.
>
> 1) Created a new virtual disk for my VPS.
> 2) Used cryptsetup to encrypt said disk.
> 3) Used cryptsetup luksOpen to open the encrypted disk and make it
> accessible.
> 4) Formatted the accessible encrypted disk.
> 5) Mounted the formatted encrypted disk somewhere. (/var/LUKS for
> this discussion)
> 6) Created symbolic links from the directories that I wanted to be
> encrypted to their counterpart on the encrypted file system. I.e.:
> /home -> /var/LUKS/home
> /etc/mail -> /var/LUKS/mail
> 7) I don't remember if I did anything special for shutdown or just
> let init scripts handle it.
> 8) I have a script that I manually run after boot that does the
> cryptsetup luksOpen, mounts the decrypted device, and starts services
> that depend on things on the encrypted file system.
>
> It's not graceful. But it has been stable across many reboots for ~5
> years.
>
> It also means that an offline copy of the data that I care about is
> going to be difficult to get to.
>
> If I were to (when I do) do this again, I'd look into the state of
> encrypted disk support in operating systems & init scripts. I think
> more have better support (as in greater than zero) for things.
>
> Aside: I think I like encrypted block devices with file systems on
> top of them better than things that encrypt files on top of a regular
> unencrypted file system.
>
> Regarding swap: According to crypttab's man page, there are options
> to have the system create random keys to (re)encrypt and remake swap
> on each boot. Thus your swap partition has different encryption each
> boot. The rotation isn't as important as having encrypted swap.
> However, having encrypted swap makes it more difficult to diagnose
> things that rely on dumps to swap. But, choose what's important for
> steady state (encrypted swap) vs debugging (unencrypted swap or
> predictable key).
Oh, a lot of infos! :-)
IIRC Zax's instructions were much shorter. Hopefully he still
reads the list and can give some input too!
Regards
Stefan
More information about the Remops
mailing list