Gazzang zNcrypt

v3.3 User Guide

Copyright2011-2013 by Gazzang, Inc.

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 1

Table of Contents
Overview ............................................................................................................................................................................ 5 Automating a zNcrypt Deployment ............................................................................................................................... 5 Whats New in zNcrypt 3.3 ............................................................................................................................................ 5 Register and activate zNcrypt clients in one step ...................................................................................................... 5 Passive approval for zNcrypt clients .......................................................................................................................... 5 Trustee Support for zNcrypt ...................................................................................................................................... 5 FIPS 140-2 mode ........................................................................................................................................................ 6 Encrypt files faster during the installation process ................................................................................................... 6 Minor features ........................................................................................................................................................... 6 Bug fixes ..................................................................................................................................................................... 6 Prerequisites ...................................................................................................................................................................... 7 OS Requirements ........................................................................................................................................................... 7 Network Requirements.................................................................................................................................................. 7 Internet Access .............................................................................................................................................................. 7 Downtime Required ....................................................................................................................................................... 7 Administrative Access .................................................................................................................................................... 8 Package Dependencies .................................................................................................................................................. 8 Required packages ..................................................................................................................................................... 8 Recommended packages ........................................................................................................................................... 8 Getting Up and Running .................................................................................................................................................... 8 Installation ......................................................................................................................................................................... 9 Debian/Ubuntu .............................................................................................................................................................. 9 Kernel Libraries .......................................................................................................................................................... 9 Adding the Gazzang Repository ............................................................................................................................... 10 Download the Gazzang Public key ........................................................................................................................... 10 Installation Using apt-get Package Manager ........................................................................................................ 10 CentOS/RedHat ............................................................................................................................................................ 10 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 2

Download Recommended and Required Packages ................................................................................................. 10 Kernel Libraries ........................................................................................................................................................ 11 Add the Gazzang Repository .................................................................................................................................... 11 Red Hat Enterprise Linux Systems ........................................................................................................................... 11 Download the Gazzang Public Key ........................................................................................................................... 12 Installation using yum Package Manager ................................................................................................................ 12 openSUSE/SLES ............................................................................................................................................................ 12 Kernel Libraries ........................................................................................................................................................ 12 Add the Gazzang Repository .................................................................................................................................... 13 Download the Gazzang Public Key ........................................................................................................................... 14 Installation Using zypper Package Manager ............................................................................................................ 14 Registering zNcrypt with zTrustee Key Management Server .......................................................................................... 14 Prerequisites ................................................................................................................................................................ 14 Org Admin ................................................................................................................................................................ 14 Functioning zTrustee Server .................................................................................................................................... 14 Choosing a Master Password ................................................................................................................................... 14 Registering with zTrustee ............................................................................................................................................ 15 Basic Registration with the Gazzang Hosted zTrustee Server ................................................................................. 15 Advanced Registration Commands .......................................................................................................................... 15 Configuration Files ................................................................................................................................................... 16 Change Master Key by UUID (Advanced) ................................................................................................................ 17 Encrypting .................................................................................................................................................................... 17 Overview .................................................................................................................................................................. 18 Common Commands ............................................................................................................................................... 18 Less Used Commands .............................................................................................................................................. 18 Preparing for Encryption.......................................................................................................................................... 18 File System Encryption with eCryptfs ...................................................................................................................... 20

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 3

Block Encryption with dm-crypt .............................................................................................................................. 20 Encrypting and Decrypting ...................................................................................................................................... 21 Decryption ............................................................................................................................................................... 23 Encryption and Decryption for MySQL Databases and Tables ................................................................................ 23 Restricting Access .................................................................................................................................................... 23 Maintenance ................................................................................................................................................................ 29 Appendices ...................................................................................................................................................................... 34 Appendix A - Installing zNcrypt 3.3 with zTrustee 3.4 and below ............................................................................... 34 Registering zNcrypt 3.3 with zTrustee 3.4 and below ............................................................................................. 34 Activating zNcrypt 3.3 with zTrustee 3.4 and below ............................................................................................... 34 Appendix B - Using Block Encryption with a loop device............................................................................................. 36 Block Encryption with a loop device ........................................................................................................................ 36 Appendix C - Upgrading to zNcrypt 3.3 from ezncrypt 2.3 and up .............................................................................. 37 Appendix D - Uninstalling and Reinstalling zNcrypt..................................................................................................... 39 Uninstalling zNcrypt 3.3 ........................................................................................................................................... 39 Reinstalling zNcrypt 3.3 ........................................................................................................................................... 39 Appendix E - Adding/Removing Rules by Profile ......................................................................................................... 40 Adding ...................................................................................................................................................................... 40 Appendix F - Encrypting and Decrypting MySQL ......................................................................................................... 42 Encrypting MySQL Tables and Databases ................................................................................................................ 42 Decrypting MySQL Tables and Databases ............................................................................................................... 44 Appendix G - zNcrypt with RDRAND and AES-NI ......................................................................................................... 45

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 4

Overview
This document contains a full list of zNcrypt 3.3 features, prerequisites, supported Operating Systems, and installation commands. Most customers require little to no customization to the default zNcrypt installation; to quickly get started, see the zNcrypt Quick Start Guide.

Automating a zNcrypt Deployment

Between testing, installation, and just for plain old fun, Gazzang employees install zNcrypt quite a bit. Because of how much we install zNcrypt, we were even nice enough to create scripts that gloss over most of the nasty details. If you are interested in accessing our development tools or scripts, please use the zNcrypt Express Guide and visit our GitHub Repository, which houses the most up-to-date versions of these wildly helpful tools.

Whats New in zNcrypt 3.3

Register and activate zNcrypt clients in one step

Weve further simplified the zNcrypt installation process to combine the registration and activation steps. The dualstep registration and activation will still be available for users who have previously scripted their installations. Sample command, registering and activating using single step (RegAuth Mode) # zncrypt register --org=myorg --auth=orgpassword Sample command, registering and activating using dual step (Classic Mode)
# zncrypt register [-s myonprem.ztrustee.com] # zncrypt request-activation -c myemail@mycompany.com Passive approval for zNcrypt clients

We have made it easier to manage zNcrypt client-activation requests. Now Org admins will receive an email notification for each activated client but will not have to click an email link to approve each zNcrypt activation request. This allows you to quickly spin up new nodes without having to manually approve each zNcrypt activation request.
Trustee Support for zNcrypt

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 5

A Trustee is the person or group responsible for allowing the release of zNcrypt encryption keys from the zTrustee Key Server. Trustees help ensure your keys are released to the right person or process at the right time given the conditions youve set forth. This unique security technique helps prevent unauthorized access. When a request to release a zNcrypt key comes in, an email notification will be sent to the Trustee. Trustees should be set up during the registration process. Sample command, registering zNcrypt using Trustees:
# zncrypt register --org=myorg --auth=orgpassword -T trustee1@email.com -T trustee2@email.com -V 1

The above command will register zNcrypt using two trustees (-T) and one vote (-V). If you register zNcrypt with this command, going forward, when zNcrypt wants to retrieve the MASTER key from zTrustee, an email notification will be sent to the two Trustees. In this scenario, only one Trustee would need to vote to release the key.
FIPS 140-2 mode

FIPS 140-2 is a security standard used for cryptographic modules, and is required for some customers who must comply with the U.S. government security standards. zNcrypt 3.3 and zTrustee 3.5 include a FIPS mode, which can be enabled to meet FIPS specs when running on FIPS compliant hardware.
Encrypt files faster during the installation process

Weve updated our zNcrypt move process so that all files are encrypted simultaneously, reducing the installation encryption time from earlier versions of our software. This new encryption process requires twice the directory size available on the disk during installation. Customers with a limited amount of free disk space can continue to use the encryption process available in zNcrypt 3.2 and earlier.
Minor features

Support for variable 'cmdline' arguments on ACL profiles Ability to display the process 'cmdline' on the access denied message Support for comma-separated line numbers when removing ACL rules Create storage/mount-point directory when running zncrypt-prepare in interactive mode Force administrators to specify an org name during registration in RegAuth mode Improved encryption status bar

Bug fixes

Fixed kernel panic caused by an encrypted process opening itself

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 6

Fixed issue where ACL rules would not display correctly Fixed issue where parsing ACL rules would throw errors Fixed issue where adding duplicate ACL rules results in error message Other minor bug fixes Accept spaces in filenames and directory names. NOTE: mysql table and databases encryption is not supported if any of them has spaces on its name.

Prerequisites
OS Requirements
Linux kernel 2.6.19 or later (Red Hat and CentOS can use 2.6.18-92 or later) Supported Linux Systems: Red Hat 5.4 - 6.x CentOS 5.4 - 6.x Scientific Linux 5.4 - 6.x CloudLinux 5.4 - 6.x Ubuntu 11.10 (x32 only), 12.04, 12.10, 13.04 Debian 6 OpenSUSE/SLES 11 (x64 only) Supported command line shells sh (Bourne) bash (Bash) dash (Debian)

Network Requirements
zNcrypt will need to initiate TCP traffic over ports 80 (HTTP) and 443 (HTTPS) to the zTrustee Server, and will need to receive TCP traffic over port 22 (SSH).

Internet Access
You must have an active Internet connection to download the software from the Gazzang repository. If port 443 or 80 cannot be opened, you can download the packages to a system with Internet access and copy the files over to your server and follow the Manual Installation instructions in the next section. For more information, contact support@gazzang.com.

Downtime Required
2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 7

Data will not be accessible during the encryption process, please plan for a scheduled downtime to your system during installation and configuration.

Administrative Access
In order to enforce the utmost level of security, all zNcrypt commands require administrative (root) access (including installation and configuration). If you do not have administrative privileges on your server, please contact your system administrator for help before proceeding.

Package Dependencies
Required packages

These dependant packages are native to most Linux operating systems, and are resolved by your distribution's package manager at the time of installation. dkms package and kernel-devel keyutils eCryptfs-utils and gettext, gettext-libs, libgomp, pkcs11-helper, trousers libztrusteeN, zncrypt-kernel-module, binutils, cloog-ppl, cpp, gcc, glibc-devel, glibc-headers, kernel-headers, libmpc, mpfr, ppl plus updates to: glibc and glibc-common Note: The installation works with gcc, gcc3 and gcc4.
Recommended packages

If these packages are desired, they must be installed by the user. Specific installation instructions are provided below, separated by operating system. haveged daemon The haveged daemon increases system entropy, which improves the performance of many cryptographic operations. For additional information about haveged, visit http://www.issihosts.com/haveged/ GNU Privacy Guard (GPG) Recommended, but not required: GNU Privacy Guard (GPG) - The zTrustee client uses GPG for encryption operations such as fingerprint generation for each client.

Getting Up and Running

2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 8

The main steps to install the software and encrypt the data are:
1. Installation 2. Registration 3. Activation

The following sections describe those steps. The installation methods depend upon your operating system, Debian/Ubuntu, CentOS/Redhat, OpenSUSE/SLES, or distributions that can use .deb or .rpm packages.

Installation
Note! If you are running a version of zNcrypt earlier than 3.1, consult Appendix A: Upgrading to zNcrypt 3.3.

Debian/Ubuntu
Kernel Libraries

Before installing zNcrypt, we recommend you install the kernel development packages. Each kernel module is compiled specifically for the underlying kernel version. In order for zNcrypt to run as a kernel module, you must download and install the kernel development headers. It is this ability to run as a kernel module which allows zNcrypt to boast high performance metrics while still being completely transparent to user-space applications. To determine your current running kernel version, run:
# uname -r

To install the development headers for your current kernel version, run:
# sudo apt-get install linux-headers-$(uname -r)

Tip! If apt-get cannot find these packages, it will return an error Unable to locate package <packagename>. In this case, choose one of the following options to proceed:

Find and install the kernel headers package by using a tool like dpkg (http://www.debian.org/doc/manuals/debian-faq/ch-pkgtools.en.html) Upgrade your kernel to the current version. If you upgrade the kernel, you must reboot after upgrading and select the kernel from the grub menu to make it active.

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 9

Adding the Gazzang Repository

Set the system environment variables:

# . /etc/lsb-release

Add the Gazzang Repository URL to the apt sources.list file:

# echo "deb https://archive.gazzang.com/ubuntu/stable $DISTRIB_CODENAME main" | sudo tee -a /etc/apt/sources.list

Tip! For Debian 6 $DISTRIB_CODENAME = squeeze for Debian 7 $DISTRIB_CODENAME = wheezy

Download the Gazzang Public key

Import the Gazzang public key:

# wget -O - https://archive.gazzang.com/gpg_gazzang.asc | sudo apt-key add Installation Using apt-get Package Manager

Install the zNcrypt client through the aptitude package manager:

# sudo apt-get update # sudo apt-get install zncrypt haveged

CentOS/RedHat
Download Recommended and Required Packages

1. Download the latest epel-release for RHEL 6 and CentOS 6.2 rpm from: http://fedoraproject.org/wiki/EPEL 2. Install the epel-release x86_64 rpm with the following command
# sudo rpm -Uvh 8.noarch.rpm http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 10

3. Install the haveged rpm package with the following command:

# sudo yum install haveged

4. Verify that haveged is installed with the following command:

# sudo /etc/init.d/haveged start Kernel Libraries

Before installing zNcrypt, we recommend you install the kernel development packages. Each kernel module is compiled specifically for the underlying kernel version. In order for zNcrypt to run as a kernel module, you must download and install the kernel development headers. It is this ability to run as a kernel module which allows zNcrypt to boast high performance metrics while still being completely transparent to user-space applications. To determine your current running kernel version, run:
# uname -r

To install the development headers for your current kernel version, run:
# sudo yum install kernel-headers-$(uname -r) kernel-devel-$(uname -r)

Tip! If yum cannot find these packages, it will display an error Unable to locate package <packagename>. In this case, choose one of the following options to proceed. Find and install the kernel headers package by using a tool like RPM Pbone (http://rpm.pbone.net) Upgrade your kernel to the current version. If you upgrade the kernel, you must reboot after upgrading and select the kernel from the grub menu to make it active.

Add the Gazzang Repository

The first step in the installation is adding the Gazzang repository to the package management system.
Red Hat Enterprise Linux Systems

Create and open the Gazzang repo file with the following command:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 11

# vi /etc/yum.repos.d/gazzang.repo

And paste the following text:

[gazzang] name=RHEL $releasever - gazzang.com - base baseurl=https://archive.gazzang.com/redhat/stable/$releasever enabled=1 gpgcheck=1 gpgkey=https://archive.gazzang.com/gpg_gazzang.asc Download the Gazzang Public Key

Gazzang signs all of our repository packages with a GPG key so that you can ensure that your downloaded packages are authentic and secure. Import the public key into RPM:
# rpm --import https://archive.gazzang.com/gpg_gazzang.asc Installation using yum Package Manager

Install the zNcrypt client through the yum package manager:

# yum install zncrypt haveged

And to ensure that zNcrypt is started next time you reboot your machine, well need to add it to the start order:
# chkconfig --level 235 zncrypt-mount on # chkconfig --level 235 haveged on # service haveged start

openSUSE/SLES
Kernel Libraries

Before installing zNcrypt, we recommend you install the kernel development packages. Each kernel module is compiled specifically for the underlying kernel version. In order for zNcrypt to run as a kernel module, you must 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 12

download and install the kernel development headers. It is this ability to run as a kernel module which allows zNcrypt to boast high performance metrics while still being completely transparent to user-space applications. To determine your current running kernel version, run:
# uname -r

To install the development headers for your current kernel version, run:
# zypper install kernel-devel-$(uname -r) kernel-headers-$(uname -r)

Tip! If apt-get cannot find these packages, it will return an error Unable to locate package <packagename>. In this case, choose one of the following options to proceed:

Find and install the kernel headers package by using a tool like RPM Pbone (http://rpm.pbone.net) Upgrade your kernel to the current version. If you upgrade the kernel, you must reboot after upgrading and select the kernel from the grub menu to make it active.

Add the Gazzang Repository

It is necessary to add the Gazzang repository information to your system. The zypper installer requires a gazzang.repo file to connect to the Gazzang repository. Create a `zypper gazzang.repo file and edit the file to add the appropriate lines. For example, enter the following command to use the vim editor to edit the file:
# vim /etc/zypp/repos.d/gazzang.repo

Add the following lines to the /etc/zypp/repos.d/gazzang.repo file, where [OS] = opensuse or sles, and [release] = 11.1, 11.2, or 11.3
[gazzang] name=gazzang baseurl=https://archive.gazzang.com/[OS]/stable/[release] enabled=1 gpgenable=1 gpgcheck=1 gpgkey=https://archive.gazzang.com/gpg_gazzang.asc type=rpm-md keeppackages=0

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 13

Download the Gazzang Public Key

Gazzang signs all of our repository packages with a GPG key so that you can ensure that your downloaded packages are authentic and secure. Enter the following commands to retrieve and import Gazzang's public key.
# wget -q https://archive.gazzang.com/gpg_gazzang.asc -O /tmp/gpg_gazzang.asc # rpm --import /tmp/gpg_gazzang.asc Installation Using zypper Package Manager

To install zNcrypt 3.3 using the system package manager enter the following commands:
# zypper refresh # zypper update # zypper install zncrypt

Registering zNcrypt with zTrustee Key Management Server

Prerequisites
Org Admin

You must have an organization registered on your zTrustee Key Manager; if you are using Gazzangs default Key Manager ztrustee.gazzang.com contact support@gazzang.com for details on how to register your organization.
Functioning zTrustee Server

In order to configure the zNcrypt to encrypt the data, you must have access to a fully functional zTrustee Key Management server, either on premises or Gazzang Hosted.
Choosing a Master Password

The Master Key is the primary Gazzang zNcrypt Administrator access code and is configured by the zNcrypt Admin during installation. The triple layer of protection from the master key prevents root users without the master key from accessing sensitive data. The Master Key can take any one of three different forms: If you choose a passphrase (single), it must be 15 and 32 characters long. If you choose passphrase (dual), it must be 15 and 32 characters long. If you choose the RSA option, enter a path to the RSA key file, and if it has RSA passphrase, enter it for this private key. Gazzang zNcrypt 3.3 User Guide 14

2013 Gazzang, Inc. All Rights Reserved.

STOP! It is extremely important that you keep your master password secret and safe. In the event that you lose your master password, you will never be able to recover it, leaving your encrypted data irrevocably locked away.

Registering with zTrustee

After the zNcrypt application is installed, it must be registered and activated with a zTrustee Key Management server to encrypt and decrypt data.
Basic Registration with the Gazzang Hosted zTrustee Server

The command below creates and configures all necessary files and directories for zNcrypt with the Gazzang Hosted zTrustee. For a full list of commands, see the next section.
# /usr/sbin/zncrypt register --org=your_ztrustee_org --auth=org_auth_token Advanced Registration Commands

The following section provides a full listing of the options for registering your zNcrypt client. Sample command:
# /usr/sbin/zncrypt register --clientname=my_client_name -server=ztrustee.yourlocalserver.com --org=your_ztrustee_org --auth=org_auth_token -skip-ssl-check

Options Explained:
--clientname=my_client_name

A user defined unique name for this client to be used for administration and reports. You can verify your client name at /etc/zncrypt/ztrustee/clientname:
# cat /etc/zncrypt/ztrustee/clientname my_client_name --server=ztrustee.yourlocalserver.com

Hostname of the target zTrustee server for key storage

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 15

--org=your_ztrustee_org

zTrustee organization name configured by the zTrustee server administrator

--auth=org_auth_token

Organization authorization token, a pre-shared secret by the zTrustee server administrator

--skip-ssl-check

Skips SSL certificate verification, used with self signed https configuration on the zTrustee server
--trustee

Add trustees for retrieval of the master key

--votes

Configure voting policy for trustees

--recoverable

Recoverable means that the Master Key will be uploaded without encrypting it with your local GPG zTrustee
Configuration Files

The installer creates the /etc/zncrypt directory. All configuration settings are saved in this directory. Warning: Do not delete any file from the /etc/zncrypt directory. These files provide the necessary information for the zNcrypt application to function properly. IMPORTANT YOU MUST PERFORM BACKUPS OF ENCRYPTED DATA, MOUNT-POINTS, AND ZNCRYPT CONFIGURATION DIRECTORIES ON A REGULAR BASIS. TO DO THIS, ENSURE YOU HAVE A BACKUP OF THE FOLLOWING CONFIGURATION DIRECTORY AND ITS SUBDIRECTORIES:
/etc/zncrypt

FAILURE TO BACKUP THIS DIRECTORY WILL MAKE YOUR BACKUP DATA UNRECOVERABLE IN THE CASE OF DATA LOSS.

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 16

Change Master Key by UUID (Advanced)

It is also possible to re-use a previously used Master Key by its UUID; for example, lets say that you currently have a Master key with a single passphrase, you can see the corresponding zTrustee UUID in the /etc/zncrypt/control file.
# cat /etc/zncrypt/control { "app": { "name": "zncrypt", "version": "3.3.0" }, "keys": { "master": { "type": "single-passphrase", "uuid": "qMAKRMdk4HVbhfzR79cp9w92YBmNHJ5nSLhfd8ZVo6L" }, "targets": [] } } #

You can copy the uuid "qMAKRMdk4HVbhfzR79cp9w92YBmNHJ5nSLhfd8ZVo6L" and use zncrypt key --change with option --new-master-key-uuid to change a Master Key by using its UUID only:
#sudo /usr/sbin/zncrypt key --change --new-master-keyuuid=qMAKRMdk4HVbhfzR79cp9w92YBmNHJ5nSLhfd8ZVo6L >> Type your OLD Master key Type MASTER passphrase 1: Type MASTER passphrase 2: Verifying Master Key against zTrustee (wait a moment)... OK Changing Master key (wait a moment)... * Setting up EXISTING MASTER key... * Uploading CONTROL content... * Re-encrypting local keys... Master key successfully changed. #

Encrypting
The process of encrypting data using zNcrypt can be broken down into the following steps: 1. Preparing your system for encryption. 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 17

2. Encrypting and decrypting your data transparently. 3. Provisioning access by creating Access Control Lists (or ACLs). 4. Maintaining and protecting your encrypted data: a. Understanding access modes b. Verifying/Changing Master Keys c. Updating process signatures d. Setting up zNcrypt Module
Overview

The zNcrypt commands have been redesigned to simplify their use.

Common Commands

zncrypt-prepare Prepare your system for encryption by creating mount-points and specifying storage. zncrypt-move Encrypt/decrypt your data to/from the encrypted filesystem. zncrypt Manage, update, verify your data.

Less Used Commands

zncrypt-profile zncrypt-module-setup

These are important depending on the layout of your configuration. These commands, together with their operations and options, are described below.
Preparing for Encryption

In order to prepare for encryption, we will have to set a location to store the encrypted data. In the following example we will use the directory /var/lib/zncrypt/encrypted and /var/lib/zncrypt/mount. If you have certain space/partition requirements please use your best judgement in selecting a different directory, though it is highly recommended that you place the encrypted directory on the same partition as the data you are planning to encrypt. The syntax for the prepare command is as follows:
# sudo zncrypt-prepare <location to store data> <mount-point for partition>

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 18

(Note: When specifying the storage path and the mount point path, DO NOT use a trailing / in the path names.) To create our encrypted partition, we will need to create the storage/mount directory:
# sudo mkdir -p /var/lib/zncrypt/encrypted /var/lib/zncrypt/mount

Then create the encrypted partition:

# sudo zncrypt-prepare /var/lib/zncrypt/encrypted /var/lib/zncrypt/mount

Note, the example above uses different locations to store and access the directories. This is to demonstrate the difference between the two directories. It is also possible to store and access the data from the same directory. To get a better understanding of what the command above accomplished, you can run:
# df -hT

This command will display all of the partition information about your system. You should see an eCryptFS partition now being located on the /var/lib/zncrypt/encrypted directory, and mounted on the /var/lib/zncrypt/mount directory. To get an in-depth look at the details behind the zncrypt-prepare command (or to use a unique configuration), you can also use the interactive prompt by simply executing:
# sudo zncrypt-prepare

Which will launch an interactive console that will discuss each parameter in detail. The zncrypt-prepare command launches an interactive console that guides you through the following operations: Creates internal encryption keys Registers internal keys on zTrustee Registers mount-point into zNcrypt at /etc/zncrypt/ztab file Mounts current mount-point Establishes encryption method (dm-crypt for devices, ecryptfs for directories) Configures apparmor

Using the console, you can choose how you want your data stored and accessed. zNcrypt offers two different types of encryption:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 19

File-Level Encryption with ecryptfs - Protect your data by mounting an encrypted filesystem on top of an existing one, enables transparent access to encrypted data without modifying your storage. Block-Level Encryption with dm-crypt - Protect your data by encrypting the entire device. This option enables full disk encryption and optimized in some system configurations. These two encryption methodologies are discussed below.
File System Encryption with eCryptfs

When choosing File-Level encryption during the interactive console, you must specify two parameters: 1. The first parameter is the storage directory you want to store the encrypted file system in. Because this directory will hold all of the encrypted data, it must be as large or larger than the target data. 2. The second parameter is the mount-point for the encrypted file system. This is the location where you can access the encrypted data stored in the first parameter. NOTE: While the data is technically stored at the location of the first parameter, you can only access the data from the second parameter (the mount-point). It is recommended that you consider this when you choose where to mount your data. After choosing these two parameters and following the interactive console, you are ready to encrypt your data.
Block Encryption with dm-crypt

When choosing block encryption during the interactive console, you must specify two parameters: 3. The first parameter is the storage device you want to store the encrypted file system in. Because this device will hold all of the encrypted data, it must be as large or larger than the target data. 4. The second parameter is the mount-point for the encrypted file system. This is the location where you can access the encrypted data stored in the first parameter. NOTE: The entire device in the first parameter will be used for encrypted data. After choosing these two parameters and following the interactive console, you are ready to encrypt your data. The device /dev/sda1 is ready to be used by zncrypt-prepare, for example:
# sudo /usr/sbin/zncrypt-prepare /dev/sda1 /mnt/dm_encrypted

The following example shows the successful output from the command:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 20

Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: /dev/urandom Filesystem: ext4 Verifying MASTER key against zTrustee (wait a moment) ... OK Generation Encryption Keys with /dev/urandom ... OK Preparing dmCrypt device (--use-urandom) ... OK Creating ext4 filesystem ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /dev/sda1 ... OK Allowing Mysql access on Apparmor Profiles ... OK Encrypting and Decrypting

Once the encrypted file system is created and initialized, it is ready to hold data. Warning, prior to running any encryption, it is important that all processes (MySQL, MongoDB, PostgreSQL, etc) that have access to the target data are stopped. Failure to do so could lead to potential data corruption. All encryption and decryption functionality come from a single command, zncrypt-move. The syntax of a generic encryption command will look similar to the following: Sample command:
#sudo zncrypt-move encrypt @<category> <directory to encrypt> <encrypted mount-point>

Options Explained:
zncrypt-move

This is the main command interface for all actions that require moving data either to or from the encrypted file system. To see more about everything you can do with zncrypt-move, please see the zncrypt-move manual ( # man zncrypt-move).
encrypt

This parameter lets zNcrypt know which direction to move data. In this case, we will be moving data into the encrypted file system (encrypting it).

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 21

The decrypt parameter is also a valid option here as well, which will produce the opposite effect. Decrypting data will be covered in a later section. Note, all zNcrypt 3.3 encryption commands, by default, require free space equal to twice the size of the encrypted data. If your environment is lacking in free space, add --per-file to the end of the command which will move each file individually. Per file encryption only requires twice the size of the largest individual file.
@<category>

This is the access category that will be applied to the data being encrypted. When moving data into the encrypted file system, you will be protecting it with process-based access controls that will restrict access to only the processes that you allow. The naming convention of the category is entirely up to you (the @ is required), but it is typically a good idea to keep it simple and memorable. Depending on what data you are encrypting, it is usually best to pick a name referencing the data encrypted. For example, a @mongodb category would be fitting for a MongoDB deployment (substitute in @mysql, @postgresql, etc to fit your environment).
<directory to encrypt>

This is the data that you would like to encrypt. This can be anything from a single file to a whole tree of directories. Just remember that the zNcrypt process starts after the system boots, so its best not to encrypt system-required files/directories (the root partition, the entire /var directory, etc). A good example of what to encrypt could be /var/lib/mysql/data, /db/data, etc.
<encrypted mount-point>

The last parameter is where you want the data to be stored. This would be the path to the mount-point specified during the zncrypt-prepare command. In the example from the previous section above, this would be /var/lib/zncrypt/mount. When the file is completely encrypted, a symlink is created that points to a mount-point @<category> directory. The zncrypt-move command actually moves all specified data to an encrypted filesystem that s replaced by a symbolic link to the mount-point for that encrypted filesystem. Encrypting a directory is similar to encrypting a file. The following command encrypts a directory:
# sudo /usr/sbin/zncrypt-move encrypt @mycategory /path/directory_to_encrypt/ /path/to/mount

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 22

The parameter that changes in the command is the directory instead of the filename and a symlink is created for that particular directory. To get a better idea of what this command did, you can run:
# ls -l <directory to encrypt> # du -h <directory encrypted storage directory>

The output of which should demonstrate how the file-system is now laid out. Everything that was once in the target directory is now securely stored inside of the encrypted file-system, fully encrypted, and protected from any outside access.
Decryption

The decryption command works in a similar way to the encrypt command. The following example shows how to decrypt a file using the zncrypt-move command:
# sudo /usr/sbin/zncrypt-move decrypt /path/file_to_encrypt

The following example shows how to decrypt a directory using the zncrypt-move command with the directory path:
# sudo /usr/sbin/zncrypt-move decrypt /path/directory_to_encrypt Encryption and Decryption for MySQL Databases and Tables

You can use mySQL-specific functionality built into zNcrypt to encrypt and decrypt MySQL database or tables. To see how to use this functionality, see Appendix E.
Restricting Access

Gazzang zNcrypt 3.3 manages file system permissions with an Access Control List (ACL). This ACL is a security access control created by Gazzang that enables a predefined Linux process to access a file or directory handled by zNcrypt. The ACL uses rules to control process access to files. The rules specify whether a Linux process has access permissions to read/write a specific zNcrypt path. A rule is defined in the following command order:
# TYPE @CATEGORY PATH PROCESS PARAMETERS

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 23

The following table defines these commands. Command TYPE @CATEGORY Description Tells the file system to allow or deny a process. It can have either of the following values: ALLOW or DENY. This is a user-defined shorthand, or container, for the encrypted dataset that the process will have access to. For example, if you are encrypting the directory /var/lib/mysql, you could use the category @mysql to indicate that this rule is granting access to a process on the MySQL data. For example: @httpd, @mysql PATH Specifies the rights permissions of a specific path. For example: *, www/*.htaccess PROCESS PARAMETERS Specifies the process or command name for the rule. Tells the process the parent-child process to be executed: --shell defines the script for zNcrypt to allow for executable process --children defines for zNcrypt which child processes to allow that are executed by a process/script For example: --shell=/bin/bash, --children=/bin/df,/bin/ls All rules are stored in an encrypted policy file together with a set of process signatures that are used by zNcrypt to authenticate each Linux process. This file is encrypted with the zNcrypt key you defined during installation. It is recommended that you use "permissive" mode to assist with the initial ACL rule creation for your environment. With zNcrypt in "permissive" mode, it allows full access to the encrypted data by all processes, but logs them in DMESG as DENIED access messages. Consult these messages to identify required ACL rules. To set zNcrypt to permissive mode, use the following command:
# sudo /usr/sbin/zncrypt set -mode=permissive

While in permissive mode, you can access the encrypted data with your normal tools. 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 24

This access generates the DENIED access messages in DMESG. Access modes are discussed below. Deny2allow After you generate the DENIED access messages, use the zncrypt deny2allow command to show which ACL rules are required, based on the DENIED access messages in DMESG. To show which ACL rules are required, perform the following steps: 1. Save the DMESG content to a file:
# sudo dmesg > /tmp/dmesg.txt

2. Use the dmesg.txt file content as input to the deny2allow command to analyze the DENIED access messages and display a list of required ACL rules based on the DENIED access messages:
# sudo /usr/sbin/zncrypt deny2allow /tmp/dmesg.txt

3. The following example shows the command output:

ALLOW @mysql employees/* /usr/sbin/mysqld ALLOW @mysql * /bin/bash ALLOW @mysql * /bin/ls

4. If a rule is displayed in the output from the command, it does not automatically mean the ACL rule needs to be added. You must determine which rules are actually needed. For example, the rule for 'ls' would not typically be added as an ACL rule. 5. When the initial ACL rules are created, disable permissive mode with the following command:
# sudo /usr/sbin/zncrypt set --mode=enforcing

Adding Rules Rules can be added in two different ways: 1. passing a rule as a parameter 2. passing a rule(s) through a policy file. 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 25

The following example shows how to add a rule by passing it as a parameter:

# sudo /usr/sbin/zncrypt acl --add --rule="ALLOW @mysql * /usr/sbin/mysqld"

The following example shows how to add multiple (two or more) rules using a policy file:
# sudo /usr/sbin/zncrypt acl --add --file=/mnt/private/acl_rules

With the contents of acl_rules being:

ALLOW @mysql * /usr/sbin/mysqld ALLOW @log * /usr/sbin/mysqld ALLOW @apache * /usr/lib/apache2/mpm-prefork/apache2

NOTE: A policy file is the fastest way to add multiple rules because it only requires the security key one time. It is also possible to overwrite the entire current rules set with the option --overwrite. When this command is executed, all current rules are replaced by the ones specified in the file that contains a new set of rules. It is recommended to save a copy of your current set of rules by printing it with the option --print. An example of using the overwrite command:
# sudo /usr/sbin/zncrypt acl --overwrite --file=/mnt/private/acl_rules

Adding Rules by Profile If your environment requires more granular controls on the processes that can access the data, you can add extra controls by using profiles. Profiles set requirements on a process other than just having the correct fingerprint. They can include such things as process owner and group, required open files, and the current working directory. To see more about adding rules by profile, see Appendix D. Deleting Rules Rules can be deleted in one of two ways: 1. passing a rule as a parameter 2. passing the line where the rule resides on a policy file

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 26

The following example shows how to delete a rule by passing it as a parameter:

# sudo /usr/sbin/zncrypt acl --del --rule="ALLOW @mysql * /usr/sbin/mysqld "

The following example shows how to delete a rule by passing a line number:
# sudo /usr/sbin/zncrypt acl --del --line 3

It is also possible to delete multiple ACL rules in a single command:

# sudo /usr/sbin/zncrypt acl --del --line=1,3

NOTE This line can be viewed by issuing the list option (see Printing Rules). Deleting Rules by Profile To see how to delete rules by profile, please see Appendix D. Printing/Viewing Rules You can print all rules that are added to the zNcrypt policy file using the following command:
# sudo /usr/sbin/zncrypt acl --print

The following command option sends the rules directly to a file:

# sudo /usr/sbin/zncrypt acl --print --file=policy-backup

The following command option displays additional information about the organization of the policy file:
# sudo /usr/sbin/zncrypt acl --list

Universal ACL Rules Universal ACLs will allow or deny a process to access all files or directories encrypted with zncrypt.

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 27

If your rule has the form ALLOW @* * /process, the process will be allowed to access anything from all encrypted categories. If your rule has the form ALLOW @data * *, then all processes will have access to any path under the @data category. If your rule has the form ALLOW @* * *, then all process have access to all encrypted categories, of course, this is not recommended. Example:
# sudo /usr/sbin/zncrypt acl --add --rule="ALLOW @* * /usr/sbin/mysqld" Type MASTER passphrase: 1 rule(s) were added # zncrypt acl --listType MASTER passphrase: # - Type Category Path Profile Process 1 ALLOW @* * /usr/sbin/mysqld #

Enabling Shell Scripts to Be Detected by ACL All of the previous rules work for binary files. There may be times a script, such as a shell script, must be allowed to access the encrypted directory. You can add the script as a rule by indicating the executable binary process of this script using the '--shell' option, for example:
ALLOW @scripts * /root/script.sh --shell=/bin/bash

Where the --shell option tells zNcrypt which executable process is used to execute the script. If the script is altered, it will no longer be trusted by the ACL because the fingerprint has changed. If you edit the script you must invoke the update option to reset the hash. In some cases, it might be necessary to grant permissions to sub-processes invoked by scripts. For example, grant permissions to /bin/bash that also allow running the /bin/df command so the system administrator can check disk capacity through a script run via a crontab entry. By using the '--children' option, you can this permission. For example:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 28

ALLOW @scripts * /root/script.sh --shell=/bin/bash --children=/bin/df

The --children option tells zNcrypt to allow the /bin/df binary process if it is executed from /root/script.sh To allow more than one sub-process, pass them to --children as comma separated values. For example:
ALLOW @scripts * /root/script.sh --shell=/bin/bash --children=/bin/df,/bin/ls

To add shell-children sub-processes, execute the zncrypt acl --add command, for example:
# sudo /usr/sbin/zncrypt acl --add --rule="ALLOW @mysql * /usr/bin/mysqld_safe -shell=/bin/bash --children=/bin/df,/bin/ls"

Maintenance
Understanding Access Modes zNcrypt provides three different access modes: Enforcing is the default mode that forces zNcrypt access to validate all processes against the ACL. To protect your data, enforcing mode needs to be enabled. Permissive mode feature causes ACCESS DENIED messages to be logged in DMESG. It does not prevent access to the encrypted data. This mode is a dry-run feature to run and build ACL rules. Admin mode, as well as permissive mode, does not prevent access to the encrypted data, it allows any process to access the information because the ACL rules are not validated against the process.

WARNING Admin mode will NOT cause any ACCESS DENIED messages logged in DMESG. To change the current access mode, use the following command:
# sudo /usr/sbin/zncrypt set --mode=<enforcing/permissive/admin>

NOTE: You cannot change the zNcrypt access mode unless the zNcrypt module is running. To check on the status of the zNcrypt module, use the following command:
# sudo /usr/sbin/zncrypt status --module

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 29

To start the zNcrypt module there must be at least one active mount-point (see Preparing Devices and Directories for Protection with zNcrypt). To verify the mount-points status, execute the following command:
# sudo /etc/init.d/zncrypt-mount status

Master Key Change/Verify You can perform two operations with the zNcrypt key command: change and verify. You can verify a key against the zNcrypt module, the zTrustee server, or both, for example:
# sudo /usr/sbin/zncrypt key --verify # sudo /usr/sbin/zncrypt key --verify --only-module # sudo /usr/sbin/zncrypt key --verify --only-ztrustee

The Master key can be changed in case another key-type authentication mechanism or a new Master key is required. Valid Master key types are single-passphrase, dual-passphrase, and RSA key files. You can change the Master key type by issuing the following command and following the interactive console:
# sudo /usr/sbin/zncrypt key --change

You can use zTrustee policies to your new key, like trustees, voters and recoverable as described in Registering zNcrypt 3.3 with zTrustee 3.5 and above. Updating a Process Signature All rules reference a process signature that is used to authenticate the process into the file system. If the file system detects a signature that is different from the one stored in the ACL, the Linux process is denied access and treated as an untrusted process. Occasionally this process signature must be updated, such as when software is upgraded. When the signature must be updated, the zNcrypt administrator re-authenticates the process on the ACL by executing the command:
# sudo /usr/sbin/zncrypt acl --update

The following example shows how to determine when a process signature has been changed and must be updated:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 30

# sudo /usr/sbin/zncrypt acl --list Type MASTER passphrase: # - Type Category Path Profile Process 1 !! ALLOW @mysql * /usr/sbin/mysqld 2 ALLOW @log * /usr/sbin/mysqld 3 !! ALLOW @apache * /usr/lib/apache2/mpm-prefork/

In the example above, the double exclamation (!!) character indicates a process signature issue that must be updated. Similarly, a double E (EE) character indicates a process read error. This error can be caused by a listed process that does not exist or has permission issues. Mount-Points Start/Stop/Status The /etc/init.d/zncrypt-mount command mounts all mount-points that were registered with the zncrypt-prepare command and listed in the /etc/zncrypt ztab file. The possible operations are: Start Stop Status

IMPORTANT: Be aware that when executing the stop operation, the encrypted mount-point will be unmounted and your data becomes inaccessible. The following example shows how to execute the zncrypt-mount status with some inactive mount-points:
# sudo /etc/init.d/zncrypt-mount status

The following example shows how to execute the zncrypt-mount stop command:
# sudo /etc/init.d/zncrypt-mount stop

The following example shows how to execute the zncrypt-mount start command:
# sudo /etc/init.d/zncrypt-mount start

If you do not have Internet connection, the following command is used to mount a directory:
# sudo /usr/sbin/mount.zncrypt /path/to_encrypted_data/ /path/to/mountpoint

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 31

Note This command can be executed only if the zncrypt-prepare command was previously executed. Registration, Module and Access Mode Status You can verify zNcrypt registration status with the following command:
# sudo /usr/sbin/zncrypt status --registration

When at least one mount-point is active (see Mountpoints Start/Stop/Status), the zNcrypt module status is Up and Running. If no mount-points are active, the zNcrypt module is not running. You can check the status with the following command:
# sudo /usr/sbin/zncrypt status --module

Allowing Access to a Single Operation Sometimes it is necessary to execute a single operation on encrypted data, such as listing the encrypted files or copying a particular file. The zncrypt exec command provides an efficient method to accomplish this. In the following command example, a permission is denied when the command is run without the zncrypt exec:
# ls /mnt/db_encrypted/mysql/

The following example shows the output from the command:

ls: cannot open directory /mnt/db_encrypted/mysql/: Permission denied

If the 'ls' command is executed with zncrypt exec, access is allowed for this time only:
# sudo /usr/sbin/zncrypt exec "ls -l /mnt/db_encrypted/mysql/"

Get ACL Rules from DMESG DENIED ACCESS The zNcrypt deny2allow command is a useful tool to create ACL rules. 1. Save DMESG content to a file by using a command similar to the following example:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 32

# sudo dmesg > dmesg.txt

2. Use the file contents as input to zncrypt deny2allow to analyze the DENIED ACCESS messages and display a list of rules to add to the ACL to avoid DENIED access:
# sudo /usr/sbin/zncrypt deny2allow dmesg.txt

NOTE: This command is also useful to determine whether any process, known or unknown, attempted to access your encrypted information. Setting up zNcrypt Module If the headers were not installed in your host, the zNcrypt module was not built at installation time. To avoid reinstalling the system, install the headers and execute the zNcrypt command:
# zncrypt-module-setup

This causes it to attempt to build the module and install it. This method is also an easy way to install any new zNcrypt module feature or fix without changing your current zNcrypt environment. File Structure of zNcrypt Configuration The file structure created on /etc/zncrypt/* is:
# tree /etc/zncrypt/ /etc/zncrypt/ control -> /etc/zncrypt/jSpi9SM65xUIIhrau1Nn8ZXmQhrrQ9e363EUz8HKiRs jSpi9SM65xUIIhrau1Nn8ZXmQhrrQ9e363EUz8HKiRs rules ztab locust ztrustee clientname deposits dev.loop0 media.31E5-79B9locustlocust[system ~]# . /etc/*release[system ~]# . /etc/*release

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 33

mnt.a mnt.encrypted mnt.tomount pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg ztrustee.conf

The following folders are part of the created file structure: control - file that saves information about the mountpoints and corresponding zTrustee keys. rules - file that contains the ACL rules. It is encrypted with the user-provided master key. ztab - file that contains information about all the mountpoints and their encryption type. ztrustee - directory where zTrustee GPG keys are stored. These are generated during zncrypt register operation. ztrustee/deposits - directory where the zNcrypt keys are saved. These are encrypted with the user-provided master key. NOTE Every mountpoint has an internal randomly generated encryption passphrase.

Appendices
Appendix A - Installing zNcrypt 3.3 with zTrustee 3.4 and below
Registering zNcrypt 3.3 with zTrustee 3.4 and below

This is part of a two steps process: registration and activation; and applies only for those registrations against a zTrustee 3.4 and below Key manager. To register you need to execute:
# sudo /usr/sbin/zncrypt register --server=your_ztrustee_key_manager.server.com

By default zNcrypt 3.3 will try to register against ztrustee.gazzang.com which has installed zTrustee 3.5 or above, to register against a ztrustee server version 3.4 or below you would need to specify the server to use.
Activating zNcrypt 3.3 with zTrustee 3.4 and below

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 34

After zNcrypt is installed and registered, zTrustee allows up to 10 different free deposits. These deposits are used when a zNcrypt client deposits opaque objects for storage. This includes registration of the master key with the zTrustee server, a change of master key, and depositing of the internal encryption key when data is encrypted. The following command, with the appropriate parameters, will activate your zNcrypt client:
# sudo /usr/sbin/zncrypt request-activation --contact=your.org.admin@yourcompany.com -notify=your.email@yourcompany.com

Note: the email address used for --contact must be the registered Gazzang administrator. If you are unsure who your administrator is, contact support@gazzang.com This command sends a request to activate your zNcrypt installation from your organization administrator. It is recommended that you activate your zNcrypt installation immediately so you can receive help from the Gazzang Support team. With registration, you are granted 10 free deposits to the zTrustee server. You cannot make additional deposits until zNcrypt is activated. Activating zNcrypt removes the limit, and you can perform an infinite number of zNcrypt operations. If you reach a total of 10 deposits, a Payment required error message displays. This indicates you need to activate zNcrypt to use the entire functionality. Note: Although your data is still accessible after reaching the deposit limit, you cannot change your master password, encrypt new data, or deposit objects of any kind. When activation is requested, you will be prompted for the Master key that you entered with the zncrypt register command. On the option named contact, insert the email address of the zTrustee organization admin assigned to your company. The value of notify is the user email notified when activation is complete (typi cally your own email). The notify reference receives an email similar to the following:
From: zTrustee-noreply@ztrustee.gazzang.com -----BEGIN PGP SIGNED MESSAGE----Hash: SHA512 Hello, this is an automated message from your Gazzang ztrustee Server. This is a confirmation receipt that a ztrustee client has been activated. No further action on your part is necessary. Details on the client: * Public key fingerprint: [2048R/ 582A774CA0BB0223D7891BADCF9281B9AE27E775] * Organization name: [your_company] * Org administrator contact: [your.org.admin@yourcompany.com]

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 35

====================================================================================== === To verify this message, import this Gazzang zTrustee server's public GPG key: gpg --keyserver hkp://ztrustee.gazzang.net:80 --recv-keys 0xAF640AE12DB149789CA8CE6BF1604C34D830DE25 ====================================================================================== === -----BEGIN PGP SIGNATURE----Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJRAECWAAoJEPFgTDTYMN4gAZoP/indJqc/YdBg0vP08b7HhOET JtP8zwhHZGAGoYU6o5NABLKjhDhGs4nPoj3HGzIcQqFG5v2Jk6egiumTQje/+5Nb MlvvQOeWLJzY1AJKh1/hLhU0IXpbYPt7tMraWd9XjOx/PU6zYjm5K03RqQRtZzCD y0GhGsGMM84+mKXoUMNbGOIr7o5bc23I1cMbwkNjAxFzUWqsBPAoYRlonZKmy8Cg NStHB08ZXFmq5g3BeYMfxoAh3nPNYEpRhpt6cTOf9S0vt19ihO1qB39aPFSNc5jq PmKFXKVOUaUkLrW3jRxfyW2ovYi+0PKDHd5TrniBe9XYIs2tw6fEOqFlGOAUl1F0 ECKHLdvfr56c0v9kx0qZ =aRLu -----END PGP SIGNATURE-----

After you receive this confirmation email, you can add as many mount-points as required in your zNcrypt environment.

Appendix B - Using Block Encryption with a loop device

Block Encryption with a loop device

When encrypting a device with block encryption, the device does not have to be an actual device. It can be a storage space treated as device instead. This can be useful for testing or temporary configurations. To configured a loop device, use the dd command to create a storage space:
# dd if=/dev/zero of=storage_space bs=512M count=2 2+0 records in 2+0 records out 1073741824 bytes (1.1 GB) copied, 20.4087 s, 52.6 MB/s # losetup -f /dev/loop0 # losetup /dev/loop0 storage_space #

The dd command used above creates a 1 GB file. The losetup -f command returns an unused loop_device to be used as a device. The command losetup /dev/loop0 storage_space configures the device with 1 GB storage space. The device /dev/loop0 is ready to be used by zncrypt-prepare, for example: 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 36

# sudo /usr/sbin/zncrypt-prepare /dev/loop0 /mnt/dm_encrypted The following example shows the successful output from the command: Type MASTER passphrase: Encryption Type: dmCrypt (LUKS) Cipher: aes Key Size: 256 Random Interface: /dev/urandom Filesystem: ext4 Verifying MASTER key against zTrustee (wait a moment) ... OK Generation Encryption Keys with /dev/urandom ... OK Preparing dmCrypt device (--use-urandom) ... OK Creating ext4 filesystem ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /dev/loop0 ... OK Allowing Mysql access on Apparmor Profiles ... OK

Appendix C - Upgrading to zNcrypt 3.3 from ezncrypt 2.3 and up

WARNING Do not delete any files from the /etc/ezncrypt directory. These files provide necessary information to the zNcrypt application. Also, if you are upgrading the product, save a copy of /etc/ezncrypt/ezncrypt.conf before you answer the questions or your customizations will be lost. Upgrading will overwrite customizations and make the system seem broken. The system is recoverable when the correct settings are put back. The following process describes how to upgrade to zNcrypt 3.3: 1. Stop ezNcrypt service system with the following command:
# sudo /usr/sbin/ezncrypt-service stop

2. The following example shows successful output from the command:

ezncrypt | Checking system dependencies ezncrypt | WARNING: ezncrypt service will be stopped. | Continue? (y/N) y | Are you sure? (y/N) y ezncrypt | stopping service | done! log | File: /var/log/ezncrypt/ezncrypt-service.log

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 37

3. Install the zNcrypt 3.3 software using the instructions outlined at the beginning of this document. Run the zncrypt-upgrade script to upgrade your encrypted data and your ACL rules from ezNcrypt system to the new zNcrypt 3.3. NOTE You must provide your Master Passphrase/Salt combination that was used during the original installation of ezNcrypt 2.3 or above. The following example shows the zncrypt-upgrade command:
# sudo /usr/sbin/zncrypt-upgrade The following example shows the successful output from the command: Please ENTER your ezNcrypt 2.x key Type passphrase: Type salt: Validating passphrase(s) against the KSS ... OK Registering zNcrypt on 'https://ztrustee.gazzang.com' ... OK Configuring zNcrypt directories Encryption Type: eCryptfs Cipher: aes Key Size: 256 Random Interface: /dev/urandom Filesystem: ext4 Verifying MASTER key against zTrustee (wait a moment) ... OK Registering Encryption Keys (wait a moment) ... OK Mounting /var/lib/ezncrypt/storage/encrypted_private ... OK Allowing Mysql access on Apparmor Profiles ... OK Migrating the ACL rules... OK The zNcrypt upgrade was successful.

4. Verify the ezNcrypt ACL rules were correctly added to the new zNcrypt 3.3 system. Use the following command:
# sudo /usr/sbin/zncrypt acl --list

5. Verify the ezNcrypt directories are mounted with new zNcrypt 3.3 system. Use the following command:
# sudo /bin/df -hT

6. After you verify everything is working correctly, uninstall ezNcrypt. To uninstall ezNcrypt from Debian/Ubuntu: 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 38

# sudo apt-get purge ezncrypt ezncryptfs

To uninstall ezNcrypt from CentOS/Redhat:

# sudo yum remove ezncrypt ezncryptfs

To uninstall ezNcrypt from openSUSE:

# sudo zypper remove ezncrypt ezncryptfs

NOTE When upgrading from ezNcrypt 2.3 to zNcrypt 3.3 the cryptographic filesystem type for migrated encrypted data is still ecryptfs.

Appendix D - Uninstalling and Reinstalling zNcrypt

Uninstalling zNcrypt 3.3

If you need to uninstall the software, enter the following commands: For Debian/Ubuntu:
# sudo apt-get purge zncrypt # sudo apt-get purge zncrypt-kernel-module

For CentOS/Redhat:
# sudo yum remove zncrypt # sudo yum remove zncrypt-kernel-module

NOTE: These commands remove the software itself. On Debian/Ubuntu the purge command will remove the /etc/zncrypt directory. On CentOS/Redhat the /etc/zncrypt directory is not removed as part of the uninstall. It will need to be removed manually.
Reinstalling zNcrypt 3.3

To reinstall the software, it must first be uninstalled. Follow the instructions for your OS (Uninstalling zNcrypt 3.3), and then repeat the installation instructions for your distribution. 2013 Gazzang, Inc. All Rights Reserved. Gazzang zNcrypt 3.3 User Guide 39

IMPORTANT: When uninstalling zNcrypt, the configuration files and directories located at /etc/zncrypt are not removed. During reinstallation, the zncrypt register command is NOT necessary. If you are sure you no longer require the previous installation configuration information in the directory /etc/zncrypt, you can remove its contents, or (recommended) perform a backup of it.

Appendix E - Adding/Removing Rules by Profile

Adding

If your environment requires more granular controls on the processes that can access the data, you can add extra controls by using profiles. Profiles set requirements on a process other than just having the correct fingerprint. They can include such things as process owner and group, required open files, and the current working directory. A profile is generated by using the command:
# usr/sbin/zncrypt-profile --pid=<pid>

the output, by default, will be displayed to the screen (you can redirect the output to a file using the >> command). You can then edit the JSON output in the file to remove lines you do not want. By default, the profile includes the UID, the short name of the binary or script (identified as comm), and the full command line of the running process (including any parameters passed). You can also add information by using one of these flags: -c, --with-cwd Show the current working directory -e --with-egid Show egid -g, --with-gid Show the gid -u, --with-euid Show the euid

Example output from the zncrypt-profile command:

{ uid:0, comm:NetworkManager, cmdline:NetworkManager pid-file=/var/run/NetwrkManager/NetworkManager.pid, gid:0 cwd:/, fd0:/dev/null, fd1:/dev/null, fd2:/dev/null }

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 40

IMPORTANT: Some distributions do not support euid and guid. Make sure that your profile file is correct by executing the following command to verify the expected ids:
# ps -p 31235 -o euid,egid EUID EGID 0 1000

If cmdline parameters are variable, like appending a process start timestamp to a filename, then the process profile will not match on subsequent restarts of the process because the current profile will have an updated timestamp and access will be denied by the ACL; there is an option to mark those parameters as variable inside the profile file; for example if the cmdline of a process is something like:
cmdline:NetworkManager pid-file=/var/run/NetwrkManager/NetworkManager.pid logfile=/var/log/NetworkManager/log-20130808152300.log

Where log-20130505122300.log is a variable cmdline parameter, before adding the process profile to the acl we can edit the process profile file and use ## to specify that a particular parameter is variable:
cmdline:NetworkManager pid-file=/var/run/NetworkManager/NetworkManager.pid logfile=##

With the above configuration, the ACL will allow any value for the logfile cmdline parameter. The application of the profile is performed by using the additional parameter --profile-file=<filename> when adding the ACL as shown above. For example:
# sudo /usr/sbin/zncrypt acl --add --rule="ALLOW @mysql * /usr/sbin/mysqld" -profilefile=/path/to/profile/file

Display the profile portion of the rules by using the --all parameter with zncrypt acl --list --all:
# sudo /usr/sbin/zncrypt acl --list --all Type MASTER passphrase: # - Type Category Path Profile Process 1 ALLOW @mysql * YES /usr/sbin/mysqld PROFILE:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 41

{"uid":"120","comm":"mysqld","cmdline":"mysqld"} #

Appendix F - Encrypting and Decrypting MySQL

You can use zNcrypt to encrypt or decrypt MySQL database or tables. IMPORTANT MySQL should be configured as InnoDB or MyISAM database engine. If it is not configured for one of these engines, zNcrypt will fail when trying to execute mysql-encrypt operations. For example:
# sudo /usr/sbin/zncrypt-move mysql-encrypt /mnt/db_encrypted employees employee_data

The following example shows the output from the command:

Type MASTER passphrase: Mysql - Please provide a MySQL username & password Enter username: root Enter password: mysql Looking for 'employees' on MySQL.. done! WARNING! employee_data: 'NULL' engine is not supported # Encrypting MySQL Tables and Databases

The command to encrypt MySQL databases and tables is:

# sudo /usr/sbin/zncrypt-move mysql-encrypt

To encrypt a table on a selected database:

# sudo /usr/sbin/zncrypt-move mysql-encrypt /mount/point databasename tablename

NOTE By default, this command assumes that MySQL is located at the directory /var/lib/mysql. If this is not the case, then you can explicitly tell zNcrypt where MySQL is located by editing the /usr/lib/zncrypt/mysql-functions file, and modifying the MySQL datadir parameter to reflect your directory layout.

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 42

For this example of encrypting MySQL, assume a database named employees contains tables named employee_data and employee_benefits.
Type MASTER passphrase: Mysql - Please provide a MySQL username & password Enter username: root Enter password: mysql Looking for 'employees' on MySQL.. done! mysql - stopping mysql service.. done! zncrypt - encrypting selected tables > encrypting 'InnoDB/employee_data' Size to encrypt: 12 Kb Moving from: '/var/lib/mysql/employees/employee_data.frm' Moving to: '/mnt/db_encrypted/mysql/employees/employee_data.frm' [=====================================================================>] 100% Done. Size to encrypt: 96 Kb Moving from: '/var/lib/mysql/employees/employee_data.ibd' Moving to: '/mnt/db_encrypted/mysql/employees/employee_data.ibd' [=====================================================================>] 100% Done. done! mysql - starting mysql service 1 table(s) were successfully encrypted #

To encrypt multiple tables, list the names, separated by spaces:

# sudo /usr/sbin/zncrypt-move mysql-encrypt /mnt/db_encrypted employees employee_data employee_benefits

To encrypt a database, specify it by name, without listing a table:

# sudo /usr/sbin/zncrypt-move mysql-encrypt /mnt/db_encrypted employees

IMPORTANT When a table or database has been encrypted, its corresponding ACL rule must be added. If the ACL rule is not added, the mysqld service cannot determine whether the database or table exists because it is encrypted and access will be denied to mysqld. The following command shows how to add a mysqld rule:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 43

# sudo /usr/sbin/zncrypt acl --add --rule="ALLOW @mysql * /usr/sbin/mysqld "

The default category for mysql operations with zNcrypt is @mysql.

Decrypting MySQL Tables and Databases

To decrypt a database or table, use:

# sudo /usr/sbin/zncrypt-move mysql-decrypt

To decrypt a table, specify the database and table name to decrypt:

# sudo /usr/sbin/zncrypt-move mysql-decrypt employees employee_data

The following example shows the output from the command:

Type MASTER passphrase: Mysql - Please provide a MySQL username & password Enter username: root Enter password: mysql Looking for 'employees' on MySQL.. done! mysql - stopping mysql service.. done! zncrypt - decrypting selected tables > decrypting 'InnoDB/employee_data' Size to decrypt: 20 Kb Moving from: '/mnt/db_encrypted/mysql/employees/employee_data.frm' Moving to: '/var/lib/mysql/employees/employee_data.frm' [=====================================================================>] 100% Done. Size to decrypt: 104 Kb Moving from: '/mnt/db_encrypted/mysql/employees/employee_data.ibd' Moving to: '/var/lib/mysql/employees/employee_data.ibd' [=====================================================================>] 100% Done. done! mysql - starting mysql service 1 table(s) were successfully decrypted #

To decrypt multiple tables, execute the mysql-decrypt command and specify the database and tables to decrypt:

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 44

# sudo /usr/sbin/zncrypt-move mysql-decrypt employees employee_data employee_benefits

The following example shows the output from the command:

Type MASTER passphrase: Mysql - Please provide a MySQL username & password Enter username: root Enter password: mysql Looking for 'employees' on MySQL.. done! mysql - stopping mysql service.. done! mysql - starting mysql service 2 table(s) were successfully decrypted #

The following command decrypts a database:

# sudo /usr/sbin/zncrypt-move mysql-decrypt employees

The following example shows the output from the command:

Type MASTER passphrase: stopping mysql service... done! Size to decrypt: 264 Kb Moving from: '/mnt/db_encrypted/mysql/employees' Moving to: '/var/lib/mysql/employees' [=====================================================================>] 100% Done. starting mysql service... done! #

Appendix G - zNcrypt with RDRAND and AES-NI

Both the ecryptfs and DM-Crypt backends for zNcrypt can automatically detect and use AES-NI if it is available.To load the modules needed for AES-NI, issue the following command:
# sudo modprobe aesni-intel

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 45

zNcrypt only needs a source of random numbers if it is using DM-Crypt as its backend. If this is the case, rng-tools should be used to seed the systems entropy pool from using the RDRAND command. It is important to use rng -tools version 4 or higher as version 4 was the first to be able to read from RDRAND. To install and start rngd: Download the source from http://sourceforge.net/projects/gkernel/files/rng-tools/4/rng-tools4.tar.gz/download Extract with tar -xf ./configure make make install

Once rng-tools is installed, start the rngd daemon by running the following command as root:
# rngd --no-tmp=1 -o /dev/random

The device /dev/random should now be able to output very quickly. It makes the most sense for zNcrypt to read directly from /dev/random, as this seems to perform better than reading from /dev/urandom. To tell zNcrypt to use /dev/random as an entropy source just put --use-random at the zncrypt-prepare command when you are setting up zNcrypt. The use of RDRAND eliminates the need for haveged, as there is no performance improvement when haveged is used along with RDRAND, and RDRAND should provide higher quality entropy.

2013 Gazzang, Inc. All Rights Reserved.

Gazzang zNcrypt 3.3 User Guide 46