Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Encrypting the Cloud

Julien Savoie
June 24, 2015
Technology
0
51

Encrypting the Cloud

Encryption in the Cloud. How do we protect our data, at rest, and even from the cloud provider itself?

Julien Savoie

June 24, 2015
Tweet

More Decks by Julien Savoie

See All by Julien Savoie
Passwords! Passwords! Passwords! 2022
jsavoie
0
69
Defeating IPv6 privacy extensions
jsavoie
0
120
Bitcoin Barons
jsavoie
0
86
Software defined murder
jsavoie
1
270
Passwords! Passwords! Passwords!
jsavoie
0
320
How to run a dark market
jsavoie
2
350
Attacking the onion router
jsavoie
0
190
ShellShock
jsavoie
0
120

Other Decks in Technology

See All in Technology
生成AIをより賢く エンジニアのための RAG入門 - Oracle AI Jam Session #20
kutsushitaneko
4
220
MLOps の現場から
asei
6
640
コンテナセキュリティのためのLandlock入門
nullpo_head
2
320
ずっと昔に Star をつけたはずの 思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
150
レンジャーシステムズ | 会社紹介(採用ピッチ)
rssytems
0
150
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
260
多領域インシデントマネジメントへの挑戦:ハードウェアとソフトウェアの融合が生む課題/Challenge to multidisciplinary incident management: Issues created by the fusion of hardware and software
bitkey
PRO
2
100
WACATE2024冬セッション資料(ユーザビリティ)
scarletplover
0
190
Wantedly での Datadog 活用事例
bgpat
1
440
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
410
【re:Invent 2024 アプデ】 Prompt Routing の紹介
champ
0
140
re:Invent 2024 Innovation Talks(NET201)で語られた大切なこと
shotashiratori
0
310

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
66
4.5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
510
Automating Front-end Workflow
addyosmani
1366
200k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
KATA
mclloyd
29
14k
Music & Morning Musume
bryan
46
6.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
28
2.1k
Producing Creativity
orderedlist
PRO
341
39k

Transcript

  1. Encrypting the Cloud • We're going to be talking about

    storage • Assuming you're already doing transport

  2. Why encrypt? • Loss of physical control • Insider attack

    vector • Cloud provider breach • State actors / Lawyer attacks

  3. At the file system / volume level dm-crypt - ext4/dmcrypt/device

    # cryptsetup -y luksFormat /dev/sda5 # cryptsetup luksOpen /dev/sda5 storagesecure # mkfs.ext4 -j /dev/mapper/storagesecure # mount /dev/mapper/storagesecure /home/securestorage - ext4/lvm/dmcrypt/device # cryptsetup -y luksFormat /dev/sda5 # cryptsetup luksOpen /dev/sda5 sda5_crypt # pvcreate /dev/mapper/sda5_crypt # vgcreate storage /dev/mapper/sda5_crypt # lvcreate -l 100%FREE storage -n secure # mkfs.ext4 -j /dev/mapper/storage-secure # mount /dev/mapper/storage-secure /home/securestorage

  4. Some problems with this • Dealing with reboots – We

    can't store passphrase on server – Remote intervention (automated or manually) • Recovering the key – If we can snapshot memory, we can scrap for key'ing data • Research on the specifics is public • Look for crypt_config struct in memory dump

  5. Can we make our database do this? • MySQL supports

    symmetric encryption mysql> insert into foobar values(1, AES_ENCRYPT('plaintext', SHA2('passphrase', 512))); mysql> select AES_DECRYPT(data, SHA2('passphrase', 512)) from foobar where index=1; • Protecting the passphrase is important – Store passphrase in tmpfs? – Use users password?

  6. Asymmetric approaches • Data stored using public key – PHP

    supports GnuPG gnupg_addencryptkey($resource, "keyfingerprint"); $ciphertext = gnupg_encrypt($resource, "clear text"); • Data retrieved using private key – OpenPGP.js with local key storage – Separate local web server instance

  7. What about backups to the cloud? • Bacula supports data

    encryption PKI Signatures = Yes PKI Encryption = Yes PKI Keypair = "/etc/bacula/my-local-keypair.pem" PKI Master Key = "/etc/bacula/my-master-certificate.crt" • Duplicity has GnuPG support --encrypt-key key-id

  8. We need to think about this issue more. Not enough

    discussion on this. • Follow me @jzsavoie • XMPP [email protected] • Questions, Angry Rants?