End-to-end Encryption of Data at Rest for Linux on Z and LinuxONE Ingo Franzki [email protected] Reinhard Buendgen [email protected] VM Workshop 2019 © Copyright IBM Corporation 2019 Data Protection and Security are Business Imperatives Nearly 6,5 million “It’s no longer records stolen per day, 24% 267,905 per hour a matter of if, Likelihood of an organization having a data breach in the next but when …” and per minute. 1 4,465 24 months 2 The greatest security mistake organizations Of the 14 Billion records make is failing to protect their networks and data from internal threats . 3 breached since 2013 only 4% were encrypted 4 1 http://breachlevelindex.com/ 2 2016 Ponemon Cost of Data Breach Study: Global Analysis -- http://www.ibm.com/security/data-breach/ 3 Steve Marsh in article: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data 4 Breach Level Index -- http://breachlevelindex.com/ 2 VM Workshop 2019 The Value of Data … — Today data is one of the most valuable assets of many companies — In particular sensitive data must be protected against unauthorized access to avoid • Losing customer trust • Losing competitive advantages • Being subject to fines and regression claims — Data encryption is the most effective way to protect data outside your system be it in flight or at rest — But encrypting data is not easy • Requires the introduction of new policies • Complicates data management • Requires to securely manage keys • Costs computing resources VM Workshop 2019 3 © Copyright IBM Corporation 2019 Attacks Online attack Offline attack — Steal or modify data from inside your system — Steal or modify data from outside your system — Requires system access with required privileges • The data might even be a dump of your system at a service organization — Attack is observable — Requires access to network, SAN, media • Takes time proportional to the amount of data • May but need not involve stealing media that is attacked • May require access to an decryption key • Has impact on the operation of attacked system (costs resources) — Attack is hard to observe if it is observable at • It is hard not to leave traces all • Neither time nor resource constrained VM Workshop 2019 © Copyright IBM Corporation 2019 Protecting data against offline attacks How can you control access outside your Solution: system? — Data transferred via intranet or internet You better encrypt that data! — Data transferred via SAN — Data stored in storage subsystems Do you trust access control mechanisms of network/SAN/storage subsystems? — Is there any effective access control? — Do you own access control? VM Workshop 2019 © Copyright IBM Corporation 2019 Cryptography Can Cannot — Prove data provenance — Protect you from your keys getting stolen — Prove data integrity — Protect data confidentiality • by an insider • by an intruder • via a vulnerability — Kerkhoff’s Principle for secure cryptography: • All cryptography methods should be well known • Only the cryptographic keys must be secret When you protect your data using cryptography you must protect your keys! They are the most critical piece of data! VM Workshop 2019 © Copyright IBM Corporation 2019 Here is a Dream … What if you could just encrypt all data in-flight and at-rest — At no cost — Without changing applications — Without changing data management — By pushing a single button Well, that will remain to be a dream But with pervasive encryption we want to make a large step in that direction VM Workshop 2019 7 © Copyright IBM Corporation 2019 Pervasive Encryption for the Linux on Z and LinuxONE Platform Technical Foundation IBM z14 or Emporer II - Designed for Pervasive Encryption — CPACF – Dramatic advance in bulk symmetric encryption performance — Crypto Express6S – Doubling of asymmetric encryption performance for TLS handshakes Linux on Z and LinuxONE - Full Power of Linux Ecosystem combined with IBM z14 or Emporer II Capabilities — dm-crypt – Transparent volume encryption using industry unique CPACF protected-keys — Network Security – Enterprise scale encryption and handshakes using CPACF and SIMD — Secure Service Container – Automatic protection of data and code for virtual appliances z/VM – New: encrypted paging • z/VM 6.4 APAR VM65993 VM Workshop 2019 8 © Copyright IBM Corporation 2019 Pervasive Encryption for Linux on Z and LinuxONE Technical Contents: Data at Rest VM Workshop 2019 9 © Copyright IBM Corporation 2019 Data at Rest Encryption Considerations Online attacks Offline attacks Storage server Server Virtual Server Application OS-kernel Cache SAN Hypervisor Adapter Adapter Attack points Questions — Storage server — Where is data decrypted/encrypted? — SAN — Who generates keys? — Server / Hypervisor / Virtual Server — Who owns (can access) the keys? • Insider / outsider — Backups? Data migration? VM Workshop 2019 10 © Copyright IBM Corporation 2019 Data Encryption on Storage Subsystem Storage server Server Virtual Server Application OS-kernel Cache SAN Hypervisor Adapter Adapter Attack points Questions — Storage server – (Secured) — Where is data decrypted/encrypted? — SAN – Not secure — Who generates keys? Storage/OS — Server / Hypervisor – Not secure — Who owns (can access) the keys? Storage/OS — Virtual Server insider / outsider – Not secure admin VM Workshop 2019 11 © Copyright IBM Corporation 2019 End-to-End SAN/Network Encryption Storage server Server Virtual Server Application OS-kernel Cache SAN Hypervisor Adapteradapter Adapter Attack points Questions — Storage server – Not secure — Where is data decrypted/encrypted? Adapter — SAN – Secured — Who generates keys? System admin — Server / Hypervisor – Not secure — Who owns (can access) the keys? System admins — Virtual Server insider / outsider – Not secure VM Workshop 2019 12 © Copyright IBM Corporation 2019 End-to-End Data Encryption Storage server Server Virtual Server Application OS-kernel Cache SAN Hypervisor Adapteradapter Adapter Attack points Questions — Storage server – Secured — Where is data decrypted/encrypted? Application or — SAN – Secured kernel — Server / Hypervisor – Secured — Who generates keys? Application or OS admin — Virtual Server insider / outsider – Not secure — Who owns (can access) the keys? Application or OS admin VM Workshop 2019 13 © Copyright IBM Corporation 2019 Linux on Z Encryption of Data at Rest — dm-crypt: block device / full volume encryption • Uses kernel crypto Kernel crypto • Granularity: disk partition / logical volume automatically uses — ext4 with encryption option: file system encryption CPACF for AES if the • Uses kernel crypto module aes_s390 is • Granularity: file, directory, symbolic link loaded — Spectrum Scale (GPFS) with encryption option: file encryption • Uses GSKit or Clic crypto libraries GSKit and latest • Granularity: file versions of Clic use End-to-End Encryption End-to-End — DB2 native encryption: data base encryption CPACF for AES • Uses GSKit crypto library — NFS v4 with encryption option: encryption of file transport • Uses kernel crypto — SMB v3.1: encryption of file transport Network • Uses kernel crypto Encryption VM Workshop 2019 14 © Copyright IBM Corporation 2019 dm-crypt & LUKS VM Workshop 2019 15 © Copyright IBM Corporation 2019 dm-crypt Overview — dm-crypt • A mechanism for end-to-end data encryption Linux • Data only appears in the clear when in program application — Kernel component that transparently • For a whole block device (partition or LVM Logical Volume) file system o Encrypts all data written to disk o Decrypts all data read from disk dm-cryptFS block device driver — How it works: Linux kernel • On opening a volume o dm crypt is told which key and cipher to use SAN • dm-crypt module uses in kernel-crypto On IBM z14 o can use IBM Z HW if aes_s390 module loaded or Emporer II XTS-AES is > AES-CBC vey fast disk > XTS-AES (recommended) vdisk VM Workshop 2019 16 © Copyright IBM Corporation 2019 Linux File System Stack Application Direct I/O I/O system call (bypassing (open, read, Virtual file system page cache) write) File system (e.g. ext4) Page cache Direct I/O Standard I/O to device (through page cache) (e.g. swap) Logical block DD Layers of logical Logical block DD device drivers: logical volumes, Physical Physical block DD RAID, multipath block DD Kernel Disk Disk VM Workshop 2019 17 © Copyright IBM Corporation 2019 Linux File System Stack with dm-crypt Application Direct I/O I/O system call (bypassing (open, read, Virtual file system page cache) write) File system (e.g. ext4) Page cache Direct I/O Standard I/O Clear text Clear to device (through page cache) (e.g. swap) Logical block DD dm-crypt Layers of logical Logical block DD device drivers: logical volumes, Physical Physical block DD RAID, multipath block DD Kernel + dm-crypt Encrypted Disk Disk VM Workshop 2019 18 © Copyright IBM Corporation 2019 What Volumes can be Encrypted by dm-crypt? YES: block devices NO: — Disks: — Full ECKD DASDs • SCSI disks — Network file systems like NFS — Partitions of • However, you can create a loopback device • ECKD DASDs based on a file in a network file system • SCSI disks — Muti-path devices — (LVM2) Logical volumes — Loop back devices — Other device mapper devices VM Workshop 2019 19 © Copyright IBM Corporation 2019 dm-crypt & cryptsetup - Volume Formats dm-crypt cryptsetup — Kernel module — Tool to manage encrypted volumes — Supports multiple volume formats (aka types) • Formats volumes o LUKS & LUKS2 types • plain Focus • LUKS • Opens volumes • LUKS2 Focus o plain, LUKS, LUKS2,