STANDARD ECRYPTFS MOUNTS
Encryption of administrative files is vital because attacks can come from anywhere. The notion that firewalls are impenetrable is false. For example, the New York Times was recently hacked because they were printing an article on a wealthy and high-ranking official. It is irresponsible for database professionals to place sensitive administrative files or data in unencrypted volumes.
The purpose of this lab is to familiarize database professionals with encryption techniques. It is by no means an exhaustive class on the topic because to present encryption ad nauseam would take several days and we do not have that luxury.
There are several encryption products freely available to you on both the Linux and Windows platform. Some of the more commonly used packages are ECRYPTFS and GPG. ECRYPTFS differs from other methods that provide block-level encryption. It is an actual file system and this difference allows users to mount folders as if they were encrypted file systems. Other benefits include:
- No special on-disk allocation is needed and you can mount existing folders.
- Ecryptfs can obfuscate file access to all users, including root.
- Support for a myriad of filesystems is available.
GPG encryption is intended to be used at the file level; however, tools like Seahorse (Linux) and GPG4Win allow the user to encrypt entire folders as an encrypted zip file. Take note, that with GPG encryption, you must decrypt the zip, open it, add or modify files, and then encrypt the file/folder in order to protect your sensitive administrative files. Moreover, the root user can see its contents while the file is decrypted.
INSTALLING ECRYPTFS
If you happen to have Red Hat Enterprise Linux or any variant thereof, installing encrypts is a snap. Just issue the following statement:
1 | $ sudo yum install ecryptfs-utils -y |
ECRYPTFS STANDARD MOUNT
First thing’s first, you’ll need to create a directory that you can mount. In this example, we will mount an encrypted volume over the top of the myStuff directory.
1 2 | $ cd $ mkdir myStuff |
You can always mount another folder into your myStuff folder if the system administrator limits the size of your /home directory. If this is the case, try to organize your file system so that all of your sensitive,
administrative files are located in the same place for a particular instance.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | $ cd /u02 $ ll total 8 drwxrw-r-x. 6 oracle oinstall 4096 Jul 18 12:43 admin drwxrw-r-x. 3 oracle oinstall 4096 Jul 18 14:00 oradata $ cd admin $ ll total 16 drwxrw-r-x. 2 oracle oinstall 4096 Jul 18 13:48 download drwxrw-r-x. 2 oracle oinstall 4096 Jul 18 12:43 extdata drwxrw-r-x. 5 oracle oinstall 4096 Jul 18 13:49 install drwxrw-r-x. 2 oracle oinstall 4096 Jul 18 12:43 scripts |
If you are running Oracle RAC and using ASM, the oradata directory will be accessible via the asmcmd command. We’re using file system in this VM. Let’s make two directories in this location. One for our public files and the other for private files:
1 2 3 4 5 6 7 8 | $ mkdir -p t001/public $ mkdir -p t001/private $ cd t001 $ ll total 8 drwxr-xr-x. 2 oracle oinstall 4096 Jul 18 20:16 private drwxr-xr-x. 2 oracle oinstall 4096 Jul 18 20:16 public |
As shown, the contents of the /u02/admin/T001/ folder contain both a public and private folder. Be careful to place only those scripts that contain NO SENSITIVE information in the public folder. For now, we will mount the private folder to the /home/admjmh/myStuff directory. Let’s start by creating a ecMount.sh file in your home directory:
1 2 | $ cd
$ vim ecMount.sh |
Now, add the following lines to your ecMont.sh file:
1 2 3 4 5 6 7 | mount \ -t ecryptfs \ -o ecryptfs_cipher=aes \ -o ecryptfs_key_bytes=16 \ -o ecryptfs_passthrough=no \ -o ecryptfs_enable_filename_crypto=n \ "$1" "$2" |
Save the file and edit another named ecUmount.sh. Add the following line to that file:
1 | sudo umount myStuff/ |
Now change the mode of each file so you can execute them:
1 | $ chmod 750 ecMount.sh ecUmount.sh |
We’re almost done. Now all you have to do is call the shell scripts to mount and unmount your encrypted directory. In the next several steps, we will mount the /u02/admin/T001/private folder to your /home/admjmh/myStuff directory. Then, we will create a text file and then unmount the directory. Finally, we will attempt to view the contents of the file.
1 2 3 4 5 6 | $ cd $ sudo ./ecMount.sh /u02/admin/T001/private /home/admjmh/myStuff $ echo ‘This IS a test OF encryption.’ >> myStuff/test.txt $ sudo ./ecUmount.sh $ cd /u02/admin/T001/private $ vim test.txt |
See how the unmounted file is no longer accessible? You should use this method to protect your administrative scripts as well as your backups. Remember unencrypted exports are easily exploited. All a hacker has to do is to obtain your export, build an Oracle instance of his/her own and import your unencrypted export…
As a bonus activity, export the HR and OE schemas in an unencrypted format. Then, place one copy of your *.dmp file in the mounted myStuff directory and another in the /u02/admin/T001/public folder. Unmount the myStuff directory and open both files in vim or any text editor.
We strongly caution you to encrypt all export and backup files. Never leave them unencrypted, especially if your volumes are shared like they are in NFS mounts. If you have a more recent version of Oracle, you can add the encryption option to your expdp command, but we will talk about that more later.