How to secure your data stored in the cloud

Companies use cloud computing and cloud storage increasingly more . As internet connection becomes faster nowadays, it’s easy to have your applications and files stored in the cloud. Use of a public cloud has many advantages, as follows:

• Flexible capacity & no upfront investment
• Avoding in house maintenance
• Fast deployment
• Global reach
• Backup is not a task to worry about anymore

However, there are precautions that need to be taken in consideration when choosing the right solution for cloud services. The most important elements you need to have in consideration are the following:

• Security – Is your data encrypted when it’s stored? What is the level of encryption? Who has access to the encryption keys?
• Reliability – Can you be certain that the service & data you are storing in the cloud will always be available?
• Continuity – Can the cloud provider suspend or cancel your account, possibly even lose all your data, for any reason?
• Copyright – Who owns the content you upload? Are you really facing the risk that your data be published or sold?

Medical applications for US need to meet the HIPAA compliance. For this condition to be met, the first thing is that all patient data should be stored in a datacenter that is HIPAA compliant. One service that has such a certification is Amazon’s S3. Access to any Amazon EC2 is created upon a 2048-bit RSA key pair, although the file system is not encrypted. If you want bullet proof encryption on your instances you have to encrypt all your data using eCryptfs for filesystem stacked level encryption. For block device level encryption you can use dm-crypt + LUKS or Truecrypt. Another important thing is to keep your connection with clients secure by encrypting your connectivity with a SSL certificate.

In this article I will try to do a short tutorial on how to encrypt using a block device level encryption on RedHat systems using LUKS.

You will first need to install cryptsetup utility, for setting up encrypted filesystems using Device Mapper and dm-crypt. This can be done using the following command:

• # yum install cryptsetup-luks

Now we have to encrypt /dev/sdb for example, be careful, you will lose all your information that is stored on this disk.

• # cryptsetup –y –v luksFormat /dev/sdb

Next we have initialized the volume and set the initial key / passphrase. Be sure that you note the passphrase or remember it because it is not recoverable.
The next command will map the encrypted drive.

• # cryptsetup luksOpen /dev/sdb encrypteddrive

After the verification of passphrase you will see a mapping name /dev/mapper/encrypteddrive which was created with luksFormat.

• # ls –l /dev/mapper/encrypteddrive

Also, you can see the status of encrypted disk by using:

• # cryotsetup –v status encrypteddrive

Now you have to write zeros to /dev/mapper/encrypteddrive for your drive to be protected against disclosure of old data that were on disk before.

• # pv -tpreb /dev/zero | dd of=/dev/mapper/encrypteddrive bs=128M

After this you can create a filesystem on the new drive, and mount it anywhere you want.

• # mkfs.ext4 /dev/mapper/encrypteddrive
• # mount /dev/mapper/encrypteddrive /mnt/newvolume

You can unmount and secure your data by using the following commands:

• # umount /mnt/newvolume
• # cryptsetup luksClose encrypteddrive

If you want to remount again you can do this using:

• # cryptsetup luksOpen /dev/vdb encrypteddrive
• # mount /dev/mapper/encrypteddrive /mnt/newvolume

LUKS is an open project hosted by google, the project page is: https://code.google.com/p/cryptsetup/. You will find there more documentation about this encryption tool.

Nowadays we all see the Cloud as a new open world full of opportunities but also concerns, which explains the growth in popularity of data encryption. A mature security solution is LUKS, that allows you to encrypt an entire system partition or hard drive. This means that all data that is storred in the cloud, including temporary files, will always be encypted, so if your data get stolen it will be unreadable without the encryption key.