Securing the data during rest: From Lux Luks to NBDE – a modern encryption guide
“What happens if your servers or laptops or disks are stolen? Is the data still accessible? Answer ‘No’ if you have a full disk encryption.”
In today’s threat landscape, encrypting data is not optional; On the contrary, basic. While different use and applications require encryption at various levels, encryption at the disk level, FDE – Full Disk Encryption, It was the actual standard to secure data during resting. Suppose you run Linux systems or large data workloads. In this case, you probably heard Lux (Linux Unified Switch Setup), DM-Crypt (Device Mixing Password), even NBDE (DISK CRESSING DISK INFORMATION). Let’s destroy what these are, why they are important, and when you need to use it.
What are different types of encryption?
Data encryption at the application level
- It is the most preferred way to encrypt precise data using encryption switches before storing data in disk or databases.
- Encryption switches are safely managed in a separate system such as a Key Management System (KMS) to isolate switch storage from encrypted data.
- This approach helps to protect the data even if an aggressive system gains access to the file system or database manager level, because the data is encrypted without switches.
- Extra logic in the application layer to process encryption or password solving process.
- It is suitable for protecting sensitive data to meet different industry compatibility requirements.
- PII (Personal Identity Information) – Name, surname, addresses, phone numbers, e -mail addresses, ssn, etc.
- PCI -DSS (Payment Card Industry – Data Safety Standards) – Credit card numbers, CVV codes, expiration dates, etc.
- Phi (protected health information) – Medical records, diagnoses, treatment information, laboratory results, insurance details and extensive other patient health information Hipaa
- Other precise or edited data: Commercial secrets, intellectual property, financial records, legal documents, or any data that may cause compliance violations or reputation damage if exposed.
Database encryption
- Data Passwords While resting Within the database system (eg, Transparent data encryption (TDE))
- Generally, automatically encrypts the whole database file, table, column or table area, Encryption directly without application process
- The switches are managed by a database engine or an integrated KMS.
- Protects against threats such as stolen discs or unauthorized file accessHowever, it is not against privileged users (eg DBAs) who can query encrypted data if they have access.
File System level encryption
- Suitable for files/folders/volume encryption.
- Key management can be done at the operating system level, TPM/HSM, KMS
- Protects against physical theft/losses
- END POINT/Best for Safety Safety
FULL DISK CRESSING (FDE)
- Passwords and presents data at rest level or device carter levels
- Protection against threats from inside – If an attacker earns direct disc access, the data cannot be read. There are many cases, including financial industries affected by such actions.
- Required for large data systems – Store unconfigured data and clusters that cannot work in encrypted loads in the application layer.
- Performance and Cost Efficiency – In some scenarios, it is usually faster than encrypting complex, distributed application level.
- FDE not suitable or change Encryption at the application level; On the contrary, it completes or increases the safety posture of the test data.
In the following sections, we will discuss the full disk encryption. Lux (Linux Unified Key Setup) and strengthen using it NBDE (Network -based Disk Password).
Linux Unified Key Setup (Lux)
- The actual standard for full disk encryption using the existing device carter core system (also known as DM-Crypt)
- Disk encryption key can be encrypted using a random text/library
- Key encryption material, operating system level permissions in a file (AKA arbitrary)
- Key file will be kept on a different disk from LUKS protected disk
- The operating system level account up to 8 can be configured to access the same disk as the 8 nests in Lux. However, Lux2 offers 32 nests
- LUGS is generally considered as standard full disk encryption, as chip makers follow AES-Ni (AES-NEW instructions) in Native. Less effect on CPU
- Default Password AES-CBC-ENV: Sha256 or AES-XTS-PLAIN64 OS installation
- The default key size for LUX is 256 bit and 512 bit with anaconda loader (XTS mode)
Figure: Lux – Full Disk Encryption
UKS installation
The following documents show step -by -step guidance to set Lubs in Redhat Linux systems.
https://www.redhat.com/en/blog/disk-
What is Lucs not suitable for?
- Always consider LUKS as a complementary encryption mechanism at the disk level with encryption at the application level. However, this is not a backup for the application level/database or file system level encryption.
- LUGS is an additional layer of convenience that stores all the installation information required for DM-Crypt on the disk and abstracts compartment and key management to increase the ease of use and cryptographic security.
- The previous core functionality, the flat DM-Cript mode does not use the convenience layer. The same encryption power is more difficult to apply with it. Let’s look at the differences between Lux and DM-Crypt
Differences between Lux and DM-Crypt
| Luxury | DM-Cript | |
| License GPL | Yes | Yes |
| Change the password without encrypting again | Yes | NO |
| Low entropy passwords (against dictionary attacks) salting and mixed | Yes | NO |
| Multiple password solving keys for the same encrypted data | Yes | NO |
| Key recovery mechanism | Yes | NO |
| Keep encryption settings | Yes | NO |
Key files are safe
- TPM 2.0 (reliable platform module) integration
- Integrated with special -made key storage
- Different disks/assembly points or main disk. And of course, this cannot be easily removed.
- HSM (hardware safety module)
- NBDE (Network -connected Disk Password). It is a safe and automatic way for production systems. NBDE is available in Rhel 7.4.
Disk encryption (NBDE):
NBDE offers asymmetric cryptography, allowing a encrypted disc machine to boot without the encryption of the disk that must be entered into the boot time. However, the machine is only on the right network and without storing the encryption key in the flat text or storage from the machine or transmitting data so that a thief can use or transmit data.
UKS + NBDE The following concepts of NBDE provide an automatic/easier way to manage disc encryption/password solving in high level boot.
- Rap – Frame that can be installed for automatic password solving. In NBDE, Clevis, Opening the automatic lock of Lux Volumes
- Cleis Pim – It is an add -on to the Clevis frame. Applies interactions with the tang server
- Insemination – Satellite, secure network -based data recovery service. Tang is not a trust server, nothing was recorded on the server
Figure: Disk Encryption connected to the network (NBDE)
Lock points
Security Model: The system uses asymmetrical cryptography, so that the disk password decoding is only possible when the machine is connected to the network (where the tang server is accessible), without the need to store the password resolution switches locally or transmit them insecure.
Automation: In NBDE, it allows the automatic opening of encrypted volumes in booting, reduces manual intervention and increases security for test data in unattended server environments.
Modularism: Clevis is designed as a flexible frame that allows other pins (not only Tang) for scenarios or hardware integrations.
Privacy: The Tang server does not hold any secret or relic switch that provides protection against central server reconciliation.
Layered workflow
- The client starts the lock during boot.
- Clevis uses the Tang Pim to communicate with the Tang server and perform a secure key change.
- Manage the secure temporary switch material of cryptographic operations (Jose).
- It stores to connect to Luxmeta and open the lock.
- Upon a successful change, Clevis dissolves the password of the main switch and unlocks the LUKS encrypted volume.
NBDE – Advantages
- There is no need to enter the system boot/restarting statements manually (if the root is encrypted)
- No need to keep the transition statements in arbitrary
- No general or special keys sharing between Tang Server and Clevis Framework
- Automatic calls to the Tang server (Password Solve Switch serves as a server)
- Uses asymmetric switches (MR Exchange Algorithm)
- Scalable option with growing server distribution.
Solution:
If your organization operates sensitive data or operates in organized sectors, FDE with Lux + NBDE It offers a powerful, automatic and safe solution for destroy data protection.
