Securing Block Volume

Security Recommendations

  • There are two types of volumes: block volumes and boot volumes. Block volumes allow instance storage capacity to be expanded dynamically. A boot volume contains the image used to boot the compute instance. The IAM service groups the family of related volume resource types into a combined resource type called volume-family.
  • Assign least privilege access for IAM users and groups to resource types in volume-family. The resource types in volume-family arevolumes ,volume-attachments, and volume-backups. Thevolume-family resources are detachable block volume devices that allow dynamic expansion of instance storage capacity or contain the image for booting the instance. The volume-attachments resources are attachments between volumes and instances. The volume-backups resources are point-in-time copies of volumes that can be used to create block volumes or recover block volumes.

Data Durability

To minimize loss of data due to inadvertent deletes by an authorized user or malicious deletes, Oracle recommends to giving VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE and VOLUME_BACKUP_DELETE permissions to a minimum possible set of IAM users and groups. DELETE permissions should be given only to tenancy and compartment administrators.

To minimize loss of data due to deletes or corruption, Oracle recommends that you make periodic backups of volumes. Oracle Cloud Infrastructure allows automated scheduled backups. For more information about scheduled backups, see Policy-Based Backups.

Data-at-rest Encryption

By default, volumes and their backups are encrypted at rest using AES-256. You can also encrypt your data volumes using tools like dm-crypt, veracrypt, and Bit-Locker. Instructions on dm-crypt encryption are presented in the next section.

Security Policy Examples

Prevent Delete of Volumes

The following example policy allows group VolumeUsers to perform all actions on volumes and backups, except deleting them.

Allow group VolumeUsers to manage volumes in tenancy
 where request.permission!='VOLUME_DELETE' 
Allow group VolumeUsers to manage volume-backups in tenancy
 where request.permission!='VOLUME_BACKUP_DELETE'

If VolumeUsers can't detach volumes from instances, you can add the following policy to the previous example.

Allow group VolumeUsers to manage volume-attachments in tenancy
 where request.permission!='VOLUME_ATTACHMENT_DELETE'

Security-related Tasks

Encrypting Non-root Volumes with dm-crypt

dm-crypt is a kernel-level encryption mechanism (part of Linux device mapper framework) to provide encrypted volumes. It encrypts data passed from the filesystem (for example, ext4 and NTFS ), and stores it on a storage device in Linux Unified Key Setup (LUKS ) format. The encrypted volumes can be stored on a complete disk, disk partition, logical volume, or a file-backed storage created using loopback devices. Cryptsetup is the user-level utility used to manage dm-crypt, and used to encrypt partitions and files. dm-crypt uses the Linux crypto APIs for encryption routines.

  1. Attach block storage volume to an instance (for example, /dev/sdb)

  2. Format /dev/sdb for LUKS encryption. Enter LUKS passphrase when prompted. The passphrase is used to encrypt the LUKS master key used for encrypting the volume.

    cryptsetup -y luksFormat /dev/sdb
  3. Verify that the LUKS formatting is successful.

    cryptsetup isLuks /dev/sdb && echo Success
  4. Get encryption information about the device.

    cryptsetup luksDump /dev/sdb
  5. Get LUKS UUID of the device. The UUID value is used to configure the /etc/crypttab.

    cryptsetup luksUUID /dev/sdb
  6. Create a LUKS container with device name, dev_name. This also creates a device node, /dev/mapper/<dev_name>.

    cryptsetup luksOpen /dev/sdb <dev_name>
  7. Get information about the mapped device.

    dmsetup info <dev_name>
  8. Format the device node as ext4 filesystem.

    sudo mkfs -t ext4 /dev/sdb 
  9. Mount the device node.

    mount /dev/mapper/<dev_name> /home/encrypt_fs
  10. Add an entry to /etc/crypttab.

    <dev_name> UUID=<LUKS UUID of /dev/sdb> none

    All the files copied to /home/encrypt_fs are encrypted by LUKS.

  11. Add a keyfile to an available keyslot of the encrypted volume. This keyfile can be used to access the encrypted volume.

    dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1
    chmod 600 $HOME/keyfile
    cryptsetup luksAddKey /dev/sdb ~/keyfile
  12. Verify the encryption status of files.

    cryptsetup status /home/encrypt_fs
  13. Unmount after you're finished.

    umount /home/encrypt_fs
    cryptsetup luksClose <dev_name>

To access the encrypted volume:

cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile
mount /dev/mapper/<dev_name> /home/encrypt_fs

If you lose the keyfile, or if the keyfile or passphrase gets corrupted, you can't decrypt the encrypted volume. This results in permanent loss of data. Oracle recommends that you store durable copies of the keyfile on an on-premises host.

Remote Mounting of dm-crypt Encrypted Data Volumes

The following steps assume that the keyfile is on an on-premises host (SRC_IP) and that <OCI_SSH_KEY> is the SSH private key of the instance.

  1. Copy keyfile from the on-premises host to an instance.

    scp -i <OCI_SSH_KEY> keyfile opc@SRC_IP:/home/opc
  2. Open the encrypted volume.

    ssh i <OCI_SSH_KEY> opc@SRC_IP "cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile"
  3. Mount the volume.

    ssh -i <OCI_SSH_KEY> opc@SRC_IP "mount /dev/mapper/<dev_name> /home/encrypt_fs"
  4. Perform operations on data in the mounted volume.

  5. Unmount the encrypted volume.

    ssh -i <OCI_SSH_KEY> opc@SRC_IP "umount /home/encrypt_fs"
    ssh -i <OCI_SSH_KEY> opc@SRC_IP "cryptsetup luksClose <dev_name>"
  6. Delete the keyfile from the instance.

    ssh -i <OCI_SSH_KEY> opc@SRC_IP "\rm -f /home/opc/keyfile"