Securing Block Volume
- There are two types of volumes: block volumes and
boot volumes. Block volumes allow instance storage capacity to be expanded dynamically.
A boot volume contains the image used to boot the compute instance. The IAM service groups the family of related volume resource types into a combined resource type called
- Assign least privilege access for IAM users and groups to resource types in
volume-family. The resource types in
volume-familyresources are detachable block volume devices that allow dynamic expansion of instance storage capacity or contain the image for booting the instance. The
volume-attachmentsresources are attachments between volumes and instances. The
volume-backupsresources are point-in-time copies of volumes that can be used to create block volumes or recover block volumes.
To minimize loss of data due to inadvertent deletes by an authorized user or malicious
deletes, Oracle recommends to giving
VOLUME_BACKUP_DELETE permissions to a minimum possible set of IAM users and groups.
permissions should be given only to tenancy and compartment administrators.
To minimize loss of data due to deletes or corruption, Oracle recommends that you make periodic backups of volumes. Oracle Cloud Infrastructure allows automated scheduled backups. For more information about scheduled backups, see Policy-Based Backups.
By default, volumes and their backups are encrypted at rest using AES-256. You can also encrypt your data volumes using tools like dm-crypt, veracrypt, and Bit-Locker. Instructions on dm-crypt encryption are presented in the next section.
Security Policy Examples
Prevent Delete of Volumes
The following example policy allows group
VolumeUsers to perform all actions on volumes and
backups, except deleting them.
Allow group VolumeUsers to manage volumes in tenancy where request.permission!='VOLUME_DELETE' Allow group VolumeUsers to manage volume-backups in tenancy where request.permission!='VOLUME_BACKUP_DELETE'
VolumeUsers can't detach volumes from instances, you can add
the following policy to the previous example.
Allow group VolumeUsers to manage volume-attachments in tenancy where request.permission!='VOLUME_ATTACHMENT_DELETE'
Encrypting Non-root Volumes with dm-crypt
dm-crypt is a kernel-level encryption mechanism (part of Linux device mapper framework) to provide encrypted volumes. It encrypts data passed from the filesystem (for example, ext4 and NTFS ), and stores it on a storage device in Linux Unified Key Setup (LUKS ) format. The encrypted volumes can be stored on a complete disk, disk partition, logical volume, or a file-backed storage created using loopback devices. Cryptsetup is the user-level utility used to manage dm-crypt, and used to encrypt partitions and files. dm-crypt uses the Linux crypto APIs for encryption routines.
Attach block storage volume to an instance (for example,
/dev/sdbfor LUKS encryption. Enter LUKS passphrase when prompted. The passphrase is used to encrypt the LUKS master key used for encrypting the volume.
cryptsetup -y luksFormat /dev/sdb
Verify that the LUKS formatting is successful.
cryptsetup isLuks /dev/sdb && echo Success
Get encryption information about the device.
cryptsetup luksDump /dev/sdb
Get LUKS UUID of the device. The UUID value is used to configure the
cryptsetup luksUUID /dev/sdb
Create a LUKS container with device name,
dev_name. This also creates a device node,
cryptsetup luksOpen /dev/sdb <dev_name>
Get information about the mapped device.
dmsetup info <dev_name>
Format the device node as ext4 filesystem.
sudo mkfs -t ext4 /dev/sdb
Mount the device node.
mount /dev/mapper/<dev_name> /home/encrypt_fs
Add an entry to
<dev_name> UUID=<LUKS UUID of /dev/sdb> none
All the files copied to
/home/encrypt_fsare encrypted by LUKS.
Add a keyfile to an available keyslot of the encrypted volume. This keyfile can be used to access the encrypted volume.
dd if=/dev/urandom of=$HOME/keyfile bs=32 count=1 chmod 600 $HOME/keyfile cryptsetup luksAddKey /dev/sdb ~/keyfile
Verify the encryption status of files.
cryptsetup status /home/encrypt_fs
Unmount after you're finished.
umount /home/encrypt_fs cryptsetup luksClose <dev_name>
To access the encrypted volume:
cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile mount /dev/mapper/<dev_name> /home/encrypt_fs
If you lose the keyfile, or if the keyfile or passphrase gets corrupted, you can't decrypt the encrypted volume. This results in permanent loss of data. Oracle recommends that you store durable copies of the keyfile on an on-premises host.
Remote Mounting of dm-crypt Encrypted Data Volumes
The following steps assume that the keyfile is on an on-premises host (
SRC_IP) and that
<OCI_SSH_KEY> is the SSH
private key of the instance.
Copy keyfile from the on-premises host to an instance.
scp -i <OCI_SSH_KEY> keyfile opc@SRC_IP:/home/opc
Open the encrypted volume.
ssh i <OCI_SSH_KEY> opc@SRC_IP "cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile"
Mount the volume.
ssh -i <OCI_SSH_KEY> opc@SRC_IP "mount /dev/mapper/<dev_name> /home/encrypt_fs"
Perform operations on data in the mounted volume.
Unmount the encrypted volume.
ssh -i <OCI_SSH_KEY> opc@SRC_IP "umount /home/encrypt_fs" ssh -i <OCI_SSH_KEY> opc@SRC_IP "cryptsetup luksClose <dev_name>"
Delete the keyfile from the instance.
ssh -i <OCI_SSH_KEY> opc@SRC_IP "\rm -f /home/opc/keyfile"