3.1 Configuring and Using Data Encryption

You can use data encryption to protect data that is stored or that is being transmitted. Data on storage devices and media can be at risk of theft or device loss. Data being transmitted over local area networks and the Internet can be intercepted or altered. In addition, data encryption to protect privacy and personal data is increasingly being made a mandatory requirement of corporate security policy and by governmental regulations (for example, HIPAA, GLBA, SOX, and PCI DSS).

Oracle Linux systems provide several strategies for protecting data:

  • When installing systems and application software, only accept RPM packages that have been digitally signed. To ensure that downloaded software packages are signed, set gpgcheck=1 in the repository configuration file and import the GPG key provided by the software supplier. You can also install RPMs using the Secure Sockets Layer (SSL) protocol, which uses encryption to protect the communications channel.

  • To protect against data theft, consider using full-disk encryption, especially on laptops, external hard drives, or removable devices such as USB memory sticks. Oracle Linux supports block device encryption using dm-crypt and the Linux Unified Key Setup (LUKS) format. The cryptsetup administration command is available in the cryptsetup-luks package. These technologies encrypt device partitions so that the data is inaccessible when a system is turned off. When the system boots and you supply the appropriate passphrase, the device is decrypted and its data is accessible. For more infomation, see the cryptsetup(8) manual page.

  • An alternative approach for protecting data on a device is to use the eCryptfs utilities to encrypt a file system. The eCryptfs utilities are available in the ecryptfs-utils package. Unlike dm-crypt, which encrypts block devices, eCryptfs encrypts data at the file-system level, and you can also use it to protect individual files and directories. For more information, see the ecryptfs(7), ecryptfs-setup-private(1), ecryptfs-mount-private(1), and ecryptfs-umount-private(1) manual pages.

  • Oracle Linux uses encryption to support Virtual Private Networks (VPN), Secure Shell (ssh), and password protection. By default, Oracle Linux uses a strong password hashing algorithm (SHA-512) and stores hashed passwords in the /etc/shadow file.

  • Oracle Linux takes advantage of hardware-accelerated encryption on Intel CPUs that support the Advanced Encryption Standard New Instructions (AES-NI) instruction set, which speeds up the execution of AES algorithms as well as SHA-1 and RC4 algorithms on x86 and x86_64 architectures.