Securing Block Volume
Security Recommendations
- There are two types of volumes: block volumes and
boot volumes. Block volumes allow instance storage capacity to be expanded dynamically.
A boot volume contains the image used to boot the compute instance. The IAM service groups the family of related volume resource types into a combined resource type called
volume-family
. - Assign least privilege access for IAM users and groups to resource types in
volume-family
. The resource types involume-family
arevolumes
,volume-attachments
, andvolume-backups
. Thevolume-family
resources are detachable block volume devices that allow dynamic expansion of instance storage capacity or contain the image for booting the instance. Thevolume-attachments
resources are attachments between volumes and instances. Thevolume-backups
resources are point-in-time copies of volumes that can be used to create block volumes or recover block volumes.
Data Durability
To minimize loss of data due to inadvertent deletes by an authorized user or malicious
deletes, Oracle recommends to giving VOLUME_DELETE
, VOLUME_ATTACHMENT_DELETE
and
VOLUME_BACKUP_DELETE
permissions to a minimum possible set of IAM users and groups. DELETE
permissions should be given only to tenancy and compartment administrators.
To minimize loss of data due to deletes or corruption, Oracle recommends that you make periodic backups of volumes. Oracle Cloud Infrastructure allows automated scheduled backups. For more information about scheduled backups, see Policy-Based Backups.
Data-at-rest Encryption
By default, volumes and their backups are encrypted at rest using AES-256. You can also encrypt your data volumes using tools like dm-crypt, veracrypt, and Bit-Locker. Instructions on dm-crypt encryption are presented in the next section.
Security Policy Examples
Prevent Delete of Volumes
The following example policy allows group VolumeUsers
to perform all actions on volumes and
backups, except deleting them.
Allow group VolumeUsers to manage volumes in tenancy
where request.permission!='VOLUME_DELETE'
Allow group VolumeUsers to manage volume-backups in tenancy
where request.permission!='VOLUME_BACKUP_DELETE'
If VolumeUsers
can't detach volumes from instances, you can add
the following policy to the previous example.
Allow group VolumeUsers to manage volume-attachments in tenancy
where request.permission!='VOLUME_ATTACHMENT_DELETE'
Security-related Tasks
Encrypting Non-root Volumes with dm-crypt
dm-crypt is a kernel-level encryption mechanism (part of Linux device mapper framework) to provide encrypted volumes. It encrypts data passed from the filesystem (for example, ext4 and NTFS ), and stores it on a storage device in Linux Unified Key Setup (LUKS ) format. The encrypted volumes can be stored on a complete disk, disk partition, logical volume, or a file-backed storage created using loopback devices. Cryptsetup is the user-level utility used to manage dm-crypt, and used to encrypt partitions and files. dm-crypt uses the Linux crypto APIs for encryption routines.
-
Attach block storage volume to an instance (for example,
/dev/sdb
) -
Format
/dev/sdb
for LUKS encryption. Enter LUKS passphrase when prompted. The passphrase is used to encrypt the LUKS master key used for encrypting the volume.cryptsetup -y luksFormat /dev/sdb
-
Verify that the LUKS formatting is successful.
cryptsetup isLuks /dev/sdb && echo Success
-
Get encryption information about the device.
cryptsetup luksDump /dev/sdb
-
Get LUKS UUID of the device. The UUID value is used to configure the
/etc/crypttab
.cryptsetup luksUUID /dev/sdb
-
Create a LUKS container with device name,
dev_name
. This also creates a device node,/dev/mapper/<dev_name>
.cryptsetup luksOpen /dev/sdb <dev_name>
-
Get information about the mapped device.
dmsetup info <dev_name>
-
Format the device node as ext4 filesystem.
sudo mkfs -t ext4 /dev/sdb
-
Mount the device node.
mount /dev/mapper/<dev_name> /home/encrypt_fs
-
Add an entry to
/etc/crypttab
.<dev_name> UUID=<LUKS UUID of /dev/sdb> none
All the files copied to
/home/encrypt_fs
are encrypted by LUKS. -
Add a keyfile to an available keyslot of the encrypted volume. This keyfile can be used to access the encrypted volume.
dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1 chmod 600 $HOME/keyfile cryptsetup luksAddKey /dev/sdb ~/keyfile
-
Verify the encryption status of files.
cryptsetup status /home/encrypt_fs
-
Unmount after you're finished.
umount /home/encrypt_fs cryptsetup luksClose <dev_name>
To access the encrypted volume:
cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile
mount /dev/mapper/<dev_name> /home/encrypt_fs
If you lose the keyfile, or if the keyfile or passphrase gets corrupted, you can't decrypt the encrypted volume. This results in permanent loss of data. Oracle recommends that you store durable copies of the keyfile on an on-premises host.
Remote Mounting of dm-crypt Encrypted Data Volumes
The following steps assume that the keyfile is on an on-premises host (SRC_IP
) and that <OCI_SSH_KEY>
is the SSH
private key of the instance.
-
Copy keyfile from the on-premises host to an instance.
scp -i <OCI_SSH_KEY> keyfile opc@SRC_IP:/home/opc
-
Open the encrypted volume.
ssh i <OCI_SSH_KEY> opc@SRC_IP "cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile"
-
Mount the volume.
ssh -i <OCI_SSH_KEY> opc@SRC_IP "mount /dev/mapper/<dev_name> /home/encrypt_fs"
-
Perform operations on data in the mounted volume.
-
Unmount the encrypted volume.
ssh -i <OCI_SSH_KEY> opc@SRC_IP "umount /home/encrypt_fs" ssh -i <OCI_SSH_KEY> opc@SRC_IP "cryptsetup luksClose <dev_name>"
-
Delete the keyfile from the instance.
ssh -i <OCI_SSH_KEY> opc@SRC_IP "\rm -f /home/opc/keyfile"