Red HatThis forum is for the discussion of Red Hat Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are going to be deploying a server with Red Hat Enterprise 7.3 as its operating system. The server has 256 GB of RAM, and is going operate in the following capacities:
1. NFS server
2. Samba server - with Active Directory authentication enabled
3. Postgres database server
4. NIS authentication server
The configuration will include encryption of all filesystems. I did some research into this, and I came across the RHEL-native LUKS disk encryption, and also the eCryptFS file system service.
I had several questions concerning the two encryption methods:
1. Are the two methods exclusive from each other, or can they be used together?
2. How much of a performance impact does each solution have on general operations?
3. If there are problems with implementing the above solutions, does anyone have an alternative?
We have implemented LUKS on a couple of RHEL 7 servers at work. It does slow things down a bit, but our systems have on the order of 360G ram, 32 or 64 cores, and fast SAN storage which limits the impact. We found that there was more impact to Database performance if you were using the XFS, or ReiserFS file systems: EXT4 did significantly better. Your mileage may vary.
Thank-you for your reply. I had a follow-up question regarding the LUKS implementation. According to documentation that I read, LUKS is effective when the system is either shut down, or in single-user mode, but not when in run level 2 and above. If that is correct, how would the filesystems on the server be encrypted?
Thank-you for your reply. I had a follow-up question regarding the LUKS implementation. According to documentation that I read, LUKS is effective when the system is either shut down, or in single-user mode, but not when in run level 2 and above. If that is correct, how would the filesystems on the server be encrypted?
Perhaps you misunderstand what they are saying here, and what encryption is FOR.
If someone rips open the machine and steals the drive, proper encryption ensures that they cannot get into the data on it easily. While the system is running the OS must be able to do encryption/decryption on the fly to make use of the disk. If something makes use of the OS while they system is up and running then it can read anything the OS can read because they OS is decrypting the data for your sessions and applications.
I see great purpose in encryption for disks and tapes that will be transported (at risk), but I see MUCH less value in using encryption for server disks in a physically secured and protected environment. Some companies and auditors have, I believe, adopted it as a standard without understanding the value. Encryption in place is not very real protection for any data.
Encryption makes the data disks nearly totally unusable (in terms of data collection) without the disks used to boot the OS it was configured with, or the security keys extracted from that disk. WITH that disk or key, it is as readable as this post. (Perhaps more so, I am not a great writer.)
To avoid greater risk when using it, you need a secure way and place to back up the security keys: in a place physically and logically separated from the server. I also recommend doubling up on your backups, and keep in mind that to maintain the protection levels you need to encrypt your backups and maintain and secure THOSE keys as well!
If the data will ever be in motion, and the risk justifies it, encryption is very doable and worthwhile. It is something of a "can of worms" project that has implications for your systems and performance, backups and Disaster Recovery plans, onsite and offsite storage and record keeping, auditing, and more. Great fun!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.