0

Although there is plenty of information about how to create encrypted partitions (like http://silvexis.com/2011/11/26/encrypting-your-data-on-amazon-ec2/), there's not much information suggesting what to encrypt.

Since amazon doesn't provide terminal access during boot, the system needs to be able to boot without the encrypted partitions, and load the dhcp and sshd daemons. After that the instance can be connected to manually or automatically and have the passphrase for the encrypted partitions be supplied.

Given all this, it's easy enough to encrypt /home, /tmp, and swap. Are there other parts of the filesystem that I can/should partition off and encrypt?

Edit: What can I partition off and encrypt, and still boot & load networking/sshd? For example, I experimented with encrypting all of /var but then networking wouldn't start since it needed files from there.

Peter
  • 11
  • 2
  • 3
    Well, where are you putting the stuff you want encrypted? – ceejayoz Dec 19 '12 at 18:22
  • Right, I can take care of files I want specifically encrypted. This is about the linux filesystem itself. – Peter Dec 19 '12 at 19:07
  • That's going to depend on what your instance is doing, your data security requirements, etc. Some folks would need `/var/log/apache2` encrypted, others wouldn't. You can answer this question better than we can. – ceejayoz Dec 19 '12 at 19:11

1 Answers1

0

Well,

There is nothing to prevent you from creating encrypted filespaces via dd:
dd if=/dev/zero of=/home/dir/something count=$((65536*1024))

mkfs /home/dir/something
cryptsetup -d /dev/urandom create cryptoswap /dev/hda3
see also https://help.ubuntu.com/community/EncryptedFilesystemHowto

ArrowInTree
  • 154
  • 6