Storage encryption

While the adoption of a distributed environment for data analysis makes data difficult to be tracked and identified by a malevolus attacker, full data anonymity and isolation is still not granted.

For this reason, we have introduced the possibility for the user to isolate data through standard filesystem encryption, using the Linux device mapper encryption module, dm-crypt as encryption backend, cryptsetup, which is a command line interface to dm-crypt and LUKS (Linux Unified Key Setup) as encryption mode.

Disk encryption ensures that files are stored on disk in an encrypted form: the files only become available to the operating system and applications in readable when the volume is unlocked by a trusted user. The adopted block device encryption method, operates below the filesystem layer and ensures that everything is written to the block device (i.e. the external volume) is encrypted.

Dm-crypt is the standard device-mapper encryption functionality provided by the Linux kernel. Dm-crypt management is entrusted to the cryptsetup userspace utility, using LUKS as default block-device encryption method. LUKS, is an additional layer which stores all the needed setup information for dm-ctypt on the disk itself, abstracts partition and key management in an attempt to improve ease of use and cryptographic security

To automatically setup LUKS volumes on your Galaxy instances a bash script, named fast-luks has been created. The script has been integrated in the Galaxy instantiation procedure: if the File System Encryption option is selected through the dialogue window the users will be required to insert a password to encrypt/decrypt data on the virtual instance during its deployment, avoiding any interaction with the cloud administrator(s). For more details see: Fast-luks script.


During the ancryption procedure an e-mail is sent to the Galaxy Instance Administrator, with the Virtual Machine IP address and a detailed description of the procedure to inject the encryption password in the system. The Galaxy installation procedure is paused until the password is correctly set (after 5 hours the system will return an error).


The system does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way to recover the key or to recover any data encrypted with the lost key.

Default configuration

Fast-luks, by default adopt xts-aes-plain64 cipher with 256 bit keys ans sha256 hashing algorithm.

Once the LUKS partition is created, it is unlocked.

The unlocking process will map the partition to a new device name using the device mapper. This alerts the kernel that device is actually an encrypted device and should be addressed through LUKS using the /dev/mapper/<cryptdev_name> so as not to overwrite the encrypted data. cryptdev_name is random generated to avoid accidental overwriting.

The volume is mounted, by default, on /export, with standard ext4 filesystem and Galaxy is configured to store here datasets.

Defaults values

# Defaults

Password choice

During the encryption procedure ( Storage encryption procedure), users are required to configure their encryption password. You must provide at least an alphanumeric 8-character long password. A random generated password is generated by the script, ONLY FOR EXAMPLE!

During the encryption procedure, the password will be required three times.

The script will query for passwords twice, to verify it. Then, you have to unlock your device, by inserting your password.

The procedure is described here: ( Storage encryption procedure).


During the encryption procedure ( Storage encryption procedure), fast-luks creates a configuration ini file, allowing Galaxy administrator to easily mange LUKS devices, through the luksctl script (Luksctl: LUKS volumes management).

By default the file is stored in /etc/galaxy/luks-cryptdev.ini.

The script requires superuser rights.

Action Command Description
Open sudo luksctl open Open the encrypted device, requiring your passphrase.
Close sudo luksctl close Close the encrypted device
Status sudo luksctl status Check device status using dm-setup

Galaxyctl can be used to parse luksctl commands:

Action Command Description
Open LUKS volume sudo galaxyctl open luks Open the encrypted device, requiring your passphrase.
Close LUKS volume sudo galaxyctl close luks Close the encrypted device
Check LUKS volume sudo galaxyctl status luks Check device status using dm-setup

Fast-luks script

The fast-luks script is located in /usr/local/bin/fast-luks.

It parse common cryptsetup parameters to encrypt the volume. For this reason it checks for cryptsetup and dm-setup packages and it install cryptsetup, if not installed.

Typing sudo fast-luks the script will load defaults parameters and will LUKS format /dev/vdb device, otherwise different parameters can be specified.

NB: Run as root.

Argument Defaults Description
-c, --cipher aes-xts-plain64 Set cipher specification string.
-k, --keysize 256 Set key size in bits.
-a, --hash_algorithm sha256 For luksFormat action specifies hash usedin LUKS key setup scheme and volumekey digest.
-d, --device /dev/vdb Set device to be mounted
-e, --cryptdev crypt Sets up a mapping <name> after successfulverification of the supplied key(via prompting).
-m, --mountpoint /export Set mount point
-f, --filesystem ext4 Set filesystem
$ sudo fast-luks --help
               Filesystem encryption script

A password with at least 8 alphanumeric string is needed
There's no way to recover your password.
Example (automatic random generated passphrase):

You will be required to insert your password 3 times:
  1. Enter passphrase
  2. Verify passphrase
  3. Unlock your volume

The connection will be  automatically closed.


fast-luks: a bash script to automate LUKS file system encryption.
 usage: fast-luks [-h]

 optionals argumets:
 -h, --help           show this help text
 -c, --cipher                 set cipher algorithm [default: aes-xts-plain64]
 -k, --keysize                set key size [default: 256]
 -a, --hash_algorithm         set hash algorithm used for key derivation
 -d, --device                 set device [default: /dev/vdb]
 -e, --cryptdev               set crypt device [default: cryptdev]
 -m, --mountpoint             set mount point [default: /export]
 -f, --filesystem             set filesystem [default: ext4]
 --default                    load default values

Cryptsetup howto

The cryptsetup action to set up a new dm-crypt device in LUKS encryption mode is luksFormat:

cryptsetup -v --cipher aes-xts-plain64 --key-size 256 --hash sha 256 --iter-time 2000 --use-urandom --verify-passphrase luksFormat crypt --batch-mode

where crypt is the new device located to /dev/mapper/crypt.

To open and mount to /export an encrypted device:

cryptsetup luksOpen /dev/vdb crypt

mount /dev/mapper/crypt /export

To show LUKS device info:

dmsetup info /dev/mapper/crypt

To umount and close an encrypted device:

umount /export

cryptsetup close crypt

To force LUKS volume removal:

dmsetup remove /dev/mapper/crypt


NB: Run as root.

Change LUKS password

LUKS provides 8 slots for passwords or key files. First, check, which of them are used:

cryptsetup luksDump /dev/<device> | grep Slot

where the output, for example, looks like:

Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Then you can add, change or delete chosen keys:

cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>)

cryptsetup luksChangeKey /dev/<device> -S 6

As for deleting keys, you have 2 options:

  1. delete any key that matches your entered password:

    cryptsetup luksRemoveKey /dev/<device>
  2. delete a key in specified slot:

    cryptsetup luksKillSlot /dev/<device> 6