The Couchbase Server 7.0 Beta is now available with some additional enhancements to strengthen the security of the platform. Couchbase has always recommended that customers utilize disk encryption technologies to ensure that their data is secure as part of an overall security strategy. A new important announcement is the introduction of Couchbase Certification of LUKS On-Disk Encryption.
Before we look at encryption and how it fits into the overall picture, let’s start with looking at the 3 stages where documents reside in a Couchbase Server cluster.
|Stage||Description||Example in Couchbase|
|Data in Process||Active data, in system memory.||Documents which are in-use.|
|Data in Transit||Data which is moving between systems.||Replication, XDCR|
|Data at Rest||Data which is currently not in active use.||Buckets on the disk of an offline machine.|
Many security and regulatory standards such as PCI-DSS, FIPS, FISMA and GDPR require confidential information to be encrypted in these various stages. Data in process can be secured with Couchbase’s Field Level Encryption technology at the application layer. Couchbase components secure data in transit, also known as data on-the-wire, with TLS Encryption and X.509 Certificates. There are many ways to encrypt data-at-rest, one option that is commonly used by our customers in a Linux environment is LUKS or the Linux Unified Key Setup, we also support 3rd party providers such as Thales Vormetric.
Data at rest encryption.
It is important to understand what data-at-rest encryption is for and what it provides. The technology is used to protect storage systems which are in an offline or locked state and prevents the media being read without the appropriate authority and access. Data which is encrypted-at-rest does not remain protected while a device is online, unlocked and operational.
Encryption for data-at-rest is commonly used to protect confidential information in the event of loss or theft of assets. Most modern smartphones will use encryption at rest by default without any user configuration, sometimes this is referred to as Full-Disk Encryption. It is also used in environments where multiple users re-use the same underlying hardware such as in a cloud environment.
LUKS Disk Encryption
LUKS is a fully open-source tool that has been the de-facto standard for disk encryption in Linux environments for many years. It is included in all of our certified Linux Operating Systems and supported by those vendors. LUKS sits in the kernel layer and encrypts storage at a disk block level, allowing users to transparently deploy any file system of their choosing on top of this block level encryption. LUKS is able to encrypt storage partitions which can be presented from a single drive, multi-disk RAID arrays, Logical Volume Manager (LVM) or even file-backed partitions.
LUKS is very flexible and offers a range of cipher suites. By default in a Red Hat 8 Linux environment, LUKS will use a highly secure 512 bit AES (Advanced Encryption Standard) key. Encrypted LUKS volumes contain multiple key slots, allowing users to add backup keys or pass-phrases. There are also additional security features such as key revocation and protection for bad pass-phrases using Argon2.
LUKS is not a good option for customers deployed on non-Linux platforms, such as MacOS and Windows. It is also not recommended for customers who do not have an active Operating System vendor support contract. Standard Operating System provided encryption technologies, such as Microsoft Encrypted Filesystem (EFS) or our 3rd party encryption at rest partners are a better option for these customers.
How do I use LUKS to securely encrypt my Couchbase Server data at rest ?
There are several different ways to implement LUKS in a Linux environment, most commonly it is implemented using dm-crypt, part of the kernel level device mapper infrastructure and using the cryptsetup command line utility to set up dm-crypt targets.
I’ll give you an example of some commands I’ve used on my Ubuntu 16 Couchbase Server Cluster to set up a disk with Logical Volume Management (LVM). I will then deploy an LUKS encrypted Logical Volume and mount this as the data directory for my Couchbase Server Node. This will ensure that if my Couchbase Server is ever stolen, the confidential data in my Couchbase buckets will not be accessible to unauthorised users.
The steps provided here are useful as guidance for the Couchbase Server 7.0 Beta. The documented and supported steps to implement LUKS may change at Couchbase Server 7.0 General Availability (GA) time. The steps should be used on a Couchbase Server Node before it is added to a cluster and data is loaded into the buckets. Please also note that these steps will erase anything that is currently residing on the target disk, so please use caution and ensure that you are writing to the correct device.
The first thing I will do is install the lvm and cryptsetup utility.
sudo apt-get install lvm2 cryptsetup
Next I will configure the drive (/dev/sdb) and create a new primary partition to use LVM.
eextended(container forlogical partitions)
Createdanewpartition1of type'Linux'andof size1023MiB.
Partition type(typeLtolist all types):8e
Changed type of partition'Linux'to'Linux LVM'.
Device Boot Start EndSectors Size Id Type
The partition table has been altered.
Calling ioctl()tore-read partition table.
Next we will configure LVM to use /dev/sdb1 as a “Physical Volume”
Physical volume"/dev/sdb1"successfully created
After that, we need to create a “Volume Group” in which the Physical Volume will reside. We will name this couchbase.
$sudo vgcreate couchbase/dev/sdb1
Volume group"couchbase"successfully created
Next we will create a 500Mb Logical Volume named cbdata, in the couchbase Volume Group.
Now we will use the cryptsetup utility to encrypt the cbdata Logical Volume.
$sudo cryptsetup--verbose--verify-passphrase luksFormat/dev/couchbase/cbdata
Thiswill overwrite data on/dev/couchbase/cbdata irrevocably.
Are you sure?(Type uppercase yes):YES
The next step is to unlock the encrypted cbdata Logical Volume and make this accessible as a device named cbdata-luks
$sudo cryptsetup luksOpen/dev/couchbase/cbdata cbdata-luks
Enter passphrase for/dev/couchbase/cbdata:
Now we will write a filesystem on top of the cbdata-luks device.
Creating filesystem with5099521kblocks and127512inodes
Superblock backups stored on blocks:
Allocating group tables:done
Writing inode tables:done
Writing superblocks andfilesystem accounting information:done
Now we will create a directory at /couchbase-data to mount the filesystem, which will be used for the Couchbase Data Directory. And mount it.
Now we have a LUKS encrypted storage device mounted at /couchbase-data which can be used as the target for the Couchbase Server Data Directory.
You can verify this with the mount and cryptsetup command.
/dev/mapper/cbdata-luks on/couchbase-data type ext4(rw,relatime,data=ordered)
$sudo cryptsetup status/dev/mapper/cbdata-luks
/dev/mapper/cbdata-luks isactive andisinuse.
Give Couchbase Server 7.0 Beta a try today, and use some of our new security features.
Availability and Duration of Beta
Get the Beta of Community Edition and Enterprise Edition
Couchbase 7 Beta is available for both Enterprise and Community Editions. Everyone can download the software from https://www.couchbase.com/downloads
Customer support is available via your regular support channels, while Community support is available through the Couchbase forums at https://forums.couchbase.com/