Alicia Asín – June 18, 2008
The information stored in a node of a computer network may be critical in some cases: accountancy files, medical or student’s records, customer data bases, log and config files, data acquired from a sensor network or even executables. Having this data encrypted prevent them from being unveiled if the router where they are stored is stolen. Only those who know the encryption password would be able to access the data, minimizing the damages. If you are responsible of critical information stored in the network nodes of your customers you should consider protecting these data.
There are many solutions to keep files safe, either ciphering them separately or putting them in an encrypted partition protected with a password. The Meshlium Manager System provides a mechanism for creating easily an encrypted partition to store data. When the partition is created, you can save files directly and keep them ciphered. Whenever the router is powered off, the encryptied partition must be activated by entering the password. This ensures that the information will not be legible in case someone steals the router. Once the partition is activated, it is accessed through a mapper which encrypts or decrypts on the fly the data written and read from the partition so that the data always remain encrypted. Accessing to these data without the encryption password is impossible, even knowing the root machine password. Step a step info about this process in this link.
The encryption method is based upon the AES (Advanced Encryption Standard) algorythm with a 265bit key (the highest allowed). This is a 128bit block cipher used worldwide and one of the most popular in symmetric key cryptography (same key for cipher and deciphering). AES is the successor to DES algorythm because it is faster, more robust (longer key size) and consumes less memory. The algorithm also utilizes also a SHA2 hash function, the SHA-256 which makes a 256 bits digest (the fixed-lenght digital representation of the input) length.
Application 1: Keeping data from a Sensor Network encrypted
The ZigBee protocol is increasingly used in medicine, thus data privacy is gaining importance. Meshlium acquires data from sensors through its ZigBee communication interface. Once the encrypted partition has been created, you can choose to save the sensor values there with just one click in the ZigBee tab of the communication interfaces section.
Application 2: saving configuration files
Sometimes it is also interesting to encrypt configuration files when they contain a plaintext password, for example. The hostapd may be a case, since you have to store in its config file the passphrase of the private key. In this case, the file can be saved in the encrypted partition. Then, a symbolik link must be created pointing to the new file location.
$ mv /etc/hostapd/hostapd.conf /mnt/users
$ ln -s /mnt/users/hostapd.conf /etc/hostapd/hostapd.conf
In this recipe it has been shown how to prevent others from reading critical information stored in a Meshlium router. It is important to understand that this mechanism ensures privacy for the data, but not its integrity. In case someone gained root access to your machine he or she could still write in the encrypted partition and change some files. If data integrity is as important as its privacy, the use of a file integrity checker should be considered.