Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Encrypting the Cloud

Julien Savoie
June 24, 2015
Technology
0
49

Encrypting the Cloud

Encryption in the Cloud. How do we protect our data, at rest, and even from the cloud provider itself?

Julien Savoie

June 24, 2015
Tweet

More Decks by Julien Savoie

See All by Julien Savoie
Passwords! Passwords! Passwords! 2022
jsavoie
0
64
Defeating IPv6 privacy extensions
jsavoie
0
110
Bitcoin Barons
jsavoie
0
82
Software defined murder
jsavoie
1
260
Passwords! Passwords! Passwords!
jsavoie
0
320
How to run a dark market
jsavoie
2
340
Attacking the onion router
jsavoie
0
170
ShellShock
jsavoie
0
100

Other Decks in Technology

See All in Technology
Databricks におけるデータエンジニアリング
databricksjapan
0
380
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
440
社内勉強会運営のコツ
senoo
6
1.2k
Janus
bkuhlmann
1
490
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
200
「ふりかえりのふりかえり」をふりかえり、実のあるふりかえりにする
naitosatoshi
0
230
Aurora MySQL v3(MySQL8.0互換)の オンラインDDLの罠挙動を全バージョンで検証した
yutakikai
1
150
On Your Data を超えていく!
hirotomotaguchi
2
130
小さな開発会社がWebサービスを作る理由
polidog
PRO
1
160
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
190
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
140
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
700

Featured

See All Featured
Side Projects
sachag
451
41k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
Facilitating Awesome Meetings
lara
41
5.6k
Infographics Made Easy
chrislema
237
18k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
GraphQLとの向き合い方2022年版
quramy
31
12k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Rebuilding a faster, lazier Slack
samanthasiow
72
8.2k
Building Your Own Lightsaber
phodgson
98
5.7k
Done Done
chrislema
178
15k
Making the Leap to Tech Lead
cromwellryan
123
8.5k

Transcript

  1. Encrypting the Cloud • We're going to be talking about

    storage • Assuming you're already doing transport

  2. Why encrypt? • Loss of physical control • Insider attack

    vector • Cloud provider breach • State actors / Lawyer attacks

  3. At the file system / volume level dm-crypt - ext4/dmcrypt/device

    # cryptsetup -y luksFormat /dev/sda5 # cryptsetup luksOpen /dev/sda5 storagesecure # mkfs.ext4 -j /dev/mapper/storagesecure # mount /dev/mapper/storagesecure /home/securestorage - ext4/lvm/dmcrypt/device # cryptsetup -y luksFormat /dev/sda5 # cryptsetup luksOpen /dev/sda5 sda5_crypt # pvcreate /dev/mapper/sda5_crypt # vgcreate storage /dev/mapper/sda5_crypt # lvcreate -l 100%FREE storage -n secure # mkfs.ext4 -j /dev/mapper/storage-secure # mount /dev/mapper/storage-secure /home/securestorage

  4. Some problems with this • Dealing with reboots – We

    can't store passphrase on server – Remote intervention (automated or manually) • Recovering the key – If we can snapshot memory, we can scrap for key'ing data • Research on the specifics is public • Look for crypt_config struct in memory dump

  5. Can we make our database do this? • MySQL supports

    symmetric encryption mysql> insert into foobar values(1, AES_ENCRYPT('plaintext', SHA2('passphrase', 512))); mysql> select AES_DECRYPT(data, SHA2('passphrase', 512)) from foobar where index=1; • Protecting the passphrase is important – Store passphrase in tmpfs? – Use users password?

  6. Asymmetric approaches • Data stored using public key – PHP

    supports GnuPG gnupg_addencryptkey($resource, "keyfingerprint"); $ciphertext = gnupg_encrypt($resource, "clear text"); • Data retrieved using private key – OpenPGP.js with local key storage – Separate local web server instance

  7. What about backups to the cloud? • Bacula supports data

    encryption PKI Signatures = Yes PKI Encryption = Yes PKI Keypair = "/etc/bacula/my-local-keypair.pem" PKI Master Key = "/etc/bacula/my-master-certificate.crt" • Duplicity has GnuPG support --encrypt-key key-id

  8. We need to think about this issue more. Not enough

    discussion on this. • Follow me @jzsavoie • XMPP [email protected] • Questions, Angry Rants?