Protecting Data with Encrypted Linux Partitions
The Inevitable Whoopsie
We see the headlines all the time: "Company X Loses 30,000,000 Customer Social Security Numbers and Other Intimately Personal and Financial Data! Haha, Boy Are Our Faces Red!" And it always turns out to be some "contractor" (notice how it's never an employee) who had the entire wad on a laptop with (seemingly) a terabyte hard drive, which was then lost or stolen, but nobody is quite sure where or when. Or it's a giant box of backup tapes that was being transported by a vendor, who apparently cannot afford a vehicle with locking doors. To me it sounds pretty darned lame, even surreal; why in the heck do contractors get all that sensitive data in the first place, and why do they need the world's databases on their laptops? Why are giant boxes of sensitive backup tapes being carted around by some minimum-wage kid in a beatermobile? How come they never quite know what data is missing, and if it was encrypted or protected in any way?
So many questions, so few answers. Today let us focus on the issue of protecting sensitive data on hard drives with encrypted file systems. This is for your mobile users and anyone who needs extra data security on workstations and servers. We're going to use
cryptsetup-luks because it is easy and it is strong. We will create an encrypted partition that requires a passphrase only at mount time. Then you can use it just like any other partition.
Debian, Ubuntu, and Fedora all come ready to run
cryptsetup-luks. You won't need to hack kernels or anything; just install it. On Debian and the Buntu family:
# aptitude install cryptsetup
# yum install cryptsetup-luks