File System Encryption Test

Test executed to ensure LUKS volume encryption.

1. Create two volumes, here named vol1, vol2.

2. Attach each one to the instance (here listed as /dev/vdd and /dev/vde) and mount them respectively to /export and /export1.

   $ df -h
   Filesystem      Size  Used Avail Use% Mounted on
   ...
   /dev/vdd        976M  2.6M  907M   1% /export
   /dev/vde        976M  2.6M  907M   1% /export1
   

3. Encrypt /export, i.e. /dev/vdd using fast_luks (/export is the default value).

   $ df -h
   Filesystem            Size  Used Avail Use% Mounted on
   ...
   /dev/vde              976M  2.6M  907M   1% /export1
   /dev/mapper/jtedehex  990M  2.6M  921M   1% /export
   

   Ensure that /export has the same permissions of the other two volumes.

   drwxr-xr-x.   3 centos centos 4096 Nov  9 10:27 export
   drwxr-xr-x.   3 centos centos 4096 Nov  9 10:27 export1
   

4. Put the same file on both volumes:

   $ echo "encryption test" > /export/test.txt
   $ echo "encryption test" > /export1/test.txt
   

5. Umount all the volumes and luksClose the encrypted one:

   $ sudo cryptsetup luksClose /dev/mapper/jtedehex
   

6. Create the volume binary image using dd:

   sudo dd if=/dev/vdd of=/home/centos/vdd_out
   2097152+0 records in
   2097152+0 records out
   1073741824 bytes (1.1 GB) copied, 21.809 s, 49.2 MB/s
   
   $ sudo dd if=/dev/vde of=/home/centos/vde_out
   2097152+0 records in
   2097152+0 records out
   1073741824 bytes (1.1 GB) copied, 21.3385 s, 50.3 MB/s
   

7. HexDump the binary image with xdd:

   $ xxd vdd_out > vdd.txt
   
   $ xxd vde_out > vde.txt
   

   As output you should have:

   $ ls -ltrh
   -rw-r--r--.  1 root   root   1.0G Nov  9 11:19 vdd_out
   -rw-r--r--.  1 root   root   1.0G Nov  9 11:22 vde_out
   -rw-rw-r--.  1 centos centos 4.2G Nov  9 11:32 vdd.txt
   -rw-rw-r--.  1 centos centos 4.2G Nov  9 11:36 vde.txt
   

8. Grep non-zero bytes and search for the test.txt file content encryption test:

   $ grep -v "0000 0000 0000 0000 0000 0000 0000 0000" vde.txt > grep_vde.txt
   $ grep "encryption test" grep_vde.txt
   8081000: 656e 6372 7970 7469 6f6e 2074 6573 740a  encryption test.
   
   $ grep -v "0000 0000 0000 0000 0000 0000 0000 0000" vdd.txt > grep_vdd.txt
   $ grep "encryption test" grep_vdd.txt
   $
   

   Note

   It is possible to see the test.txt file content only on the un-encrypted volume.

   Moreover, the output file grep_vde.txt is 73 kb while the encrypted one, grep_vdd.txt (138 MB), is very large:

   -rw-rw-r--.  1 centos centos  73K Nov  9 11:46 grep_vde.txt
   -rw-rw-r--.  1 centos centos 138M Nov  9 11:58 grep_vdd.txt
   

We also tried to open the volume when active (LUKS volume opened and mounted, Galaxy running) in the Virtual Machine, using the cloud controller (as administrator).

Test executed on the cloud controller:

# rbd map volume-3bedc7bc-eaed-466f-9d55-f2c29b44a7b2 --pool volumes
/dev/rbd0

# lsblk -f
NAME          FSTYPE      LABEL UUID                                   MOUNTPOINT
sda
|-sda1        ext4              db06fc46-7231-4189-ba2b-0b0117049680   /boot
|-sda2
|-sda5        swap              e5b98538-8337-4e25-8f82-f97f04258716   [SWAP]
`-sda6        LVM2_member       n4SAgY-GRNy-4Fl2-ROoQ-rRIf-bdBP-QC1B6s
  `-vg00-root ext4              1e3f1ff1-8677-4236-8cb4-07d5cad32441   /
rbd0          crypto_LUKS       c4bee3b9-e0dc-438e-87ae-2a3e491081c0

# mount /dev/rbd0 /mnt/
mount: unknown filesystem type ‘crypto_LUKS’

It is not possible to mount the volume without the user password.