Implementing encryption

Hello --

We are going to be deploying a server with Red Hat Enterprise 7.3 as its operating system. The server has 256 GB of RAM, and is going operate in the following capacities:

1. NFS server
2. Samba server - with Active Directory authentication enabled
3. Postgres database server
4. NIS authentication server

The configuration will include encryption of all filesystems. I did some research into this, and I came across the RHEL-native LUKS disk encryption, and also the eCryptFS file system service.

I had several questions concerning the two encryption methods:

1. Are the two methods exclusive from each other, or can they be used together?
2. How much of a performance impact does each solution have on general operations?
3. If there are problems with implementing the above solutions, does anyone have an alternative?

We have implemented LUKS on a couple of RHEL 7 servers at work. It does slow things down a bit, but our systems have on the order of 360G ram, 32 or 64 cores, and fast SAN storage which limits the impact. We found that there was more impact to Database performance if you were using the XFS, or ReiserFS file systems: EXT4 did significantly better. Your mileage may vary.

Hello --

Thank-you for your reply. I had a follow-up question regarding the LUKS implementation. According to documentation that I read, LUKS is effective when the system is either shut down, or in single-user mode, but not when in run level 2 and above. If that is correct, how would the filesystems on the server be encrypted?

Quote:

Originally Posted by kaplan71 Hello -- Thank-you for your reply. I had a follow-up question regarding the LUKS implementation. According to documentation that I read, LUKS is effective when the system is either shut down, or in single-user mode, but not when in run level 2 and above. If that is correct, how would the filesystems on the server be encrypted?

Perhaps you misunderstand what they are saying here, and what encryption is FOR.
If someone rips open the machine and steals the drive, proper encryption ensures that they cannot get into the data on it easily. While the system is running the OS must be able to do encryption/decryption on the fly to make use of the disk. If something makes use of the OS while they system is up and running then it can read anything the OS can read because they OS is decrypting the data for your sessions and applications.

I see great purpose in encryption for disks and tapes that will be transported (at risk), but I see MUCH less value in using encryption for server disks in a physically secured and protected environment. Some companies and auditors have, I believe, adopted it as a standard without understanding the value. Encryption in place is not very real protection for any data.

Encryption makes the data disks nearly totally unusable (in terms of data collection) without the disks used to boot the OS it was configured with, or the security keys extracted from that disk. WITH that disk or key, it is as readable as this post. (Perhaps more so, I am not a great writer.)
To avoid greater risk when using it, you need a secure way and place to back up the security keys: in a place physically and logically separated from the server. I also recommend doubling up on your backups, and keep in mind that to maintain the protection levels you need to encrypt your backups and maintain and secure THOSE keys as well!

If the data will ever be in motion, and the risk justifies it, encryption is very doable and worthwhile. It is something of a "can of worms" project that has implications for your systems and performance, backups and Disaster Recovery plans, onsite and offsite storage and record keeping, auditing, and more. Great fun!