Encrypting all your logs in 2 easy steps, using logrotate and Peacemakr
Peacemakr was founded on the core principle that everyone can correctly and easily protect their data with cryptography. Today we will focus on a problem vexing system admins, security practitioners and auditors:
How do we protect sensitive files or backups that are stored on third party storage services such as AWS S3, Box, or Dropbox?
Across various industries and countries, there are strict data privacy laws and regulations which require companies to encrypt sensitive files, like logs. One common way to easily store log files is to leverage third party storage. However, trusting and relying on them for security can be risky or results in cloud-provider lock-in. Next, let’s talk about the threat models and challenges we may encounter.
Threat Models
A threat model identifies all the risks in our environment — it answers the question “secure against who or what?” We’ll cover threat modeling in a future blog post. In this context of this blog, third party risk takes into account the risks to our data when adopting a third party storage service. Let’s look at some of the things we might see as we work to secure our customers’ log data.
Server Side Encryption:
Vendors will often offer disk or volume encryption, often implemented with a common key shared across customers. This means that the storage medium is encrypted, not the files. When the disk is powered down, the data is protected — this is data protection at rest. Once the disk is online, however, the data is exposed to the running system. In addition, many storage services use a major cloud provider for the underlying infrastructure. This means you also have to trust your service provider’s service provides — especially if the 3rd party has access to your encryption keys, like they do with cloud KMS solutions.
Cloud Provider Encryption/Key management system:
This approach is more complex than the first but gives us more control and reduces the risk of multiple organizations having access to the decryption keys. What are some things to watch out for?
- Increased Complexity since we have to manage the storage, the encryption system. And remember, errors increase in cost with complexity. In fact, human errors are the most significant threat to sensitive data according to the study.
- Provider lock in. It will be difficult to move to another provider since many of the functions are deliberately not cross platform compatible.
The cloud provider has access to our decryption keys so if our threat model includes the provider as a potential threat, this does not meet our security goal.
Use case: Integrate Peacemakr CLI with Logrotate
Now let’s see how Peacemakr can encrypt log files automatically, against an even stronger threat model than any of the approaches mentioned above.
The peacemakr-cli runs on your system, allowing you to easily encrypt & decrypt your files on demand, using keys you own, on the storage provider of your choice.
To see how easy it is to use the peacemakr-cli to encrypt/decrypt files, we will walk through the process of encrypting and decrypting log files with logrotate on Ubuntu (16.04).
Set up
This tutorial depends on two pieces of software: logrotate and peacemakr-cli. Logrotate should already be on your Ubuntu system, if you’re rotating logs.
Before jumping right into the cli, make sure you sign up (https://peacemakr.io) and can get your api-key from https://admin.peacemakr.io/. (as shown below)
Once you have everything set up, you are ready to install peacemakr-cli. There are two steps to get the peacemakr-cli working:
- Install CoreCrypto library: Simply follow the instructions on the GitHub page: https://github.com/peacemakr-io/peacemakr-core-crypto.
wget https://github.com/peacemakr-io/peacemakr-core-crypto/releases/download/v0.1.0/libpeacemakr-core-crypto.so -O /usr/lib/libpeacemakr-core-crypto.so2. Install peacemakr-cli: Simply download the binary from the release and make it executable.
wget https://github.com/peacemakr-io/peacemakr-cli/releases/download/v0.1.0/peacemakr-cli -O /usr/local/bin/peacemakr-clichmod 111 /usr/local/bin/peacemakr-cli
And finally, configure your api-key from the peacemakr admin portal:
export PEACEMAKR_APIKEY=your-api-keyOnce you have the binary installed, you can verify that peacemakr-cli is working correctly by encrypting and then decrypting a simple string. Try running these commands to verify everything works:
echo “hello world” | peacemakr-cli --action=encrypt | peacemakr-cli --action=decrypt# expected output: hello world
Peacemakr-cli supports the following flags:
- -action: (default is encrypt) Specifies the action to take, can be either encrypt or decrypt.
- -config: Specifies a configuration file path.
- -inputFileName: Absolute path to the input file. If not specified, the program reads from stdin.
- -outputFileName: Absolute path to target file. If not specified, the program writes to stdout.
Encrypt logs with logrotate and peacemakr-cli
Now you have everything set up and ready to encrypt your logs. For the purposes of this tutorial, we will create a dummy log called test.log and place it in /var/log.
sudo touch /var/log/test.logsudo sh -c ‘echo hello world > /var/log/test.log’cat /var/log/test.log# expected output: hello world
To start rotating the newly added log, we need to modify the configuration file /etc/logrotate.conf.
…[default conf above].../var/log/test.log{
monthly
create 0664 root utmp
rotate 2
compress
lastaction
cat "$1.1.gz" | peacemakr-cli --action=encrypt > "$1.1.gz.peace"
rm $1.1.gz”
endscript
}
The above configuration will do the following:
- Rotate the test.log every month
- Replace the rotated file with a new log file with root ownership and utmp group
- Keep the last two rotated files
- Compress the rotated file
- Encrypt the compressed file using peacemakr-cli
- Removed the cleartext compressed file
To test the configuration immediately, you can run the command:
sudo logrotate --force /etc/logrotate.confOnce logrotate finishes processing, you should see the rotated encrypted compressed log in “/var/log/test.1.gz.peace”
Decrypting the log
Decrypting the logs is easy. We simply run peacemakr-cli with the decrypt action. Suppose we want to decrypt the file from last section and decompress the log:
# decrypt using the peacemakr-cli
cat /var/log/test.1.gz.peace | peacemakr-cli --action=decrypt > decrypted.test.1.gz# decompress the .gz file to decrypted.test.1
gzip -d decrypted.test.1.gzcat decrypted.test.1# expected output: hello world
That’s it. With just a few modifications, you can encrypt your own log files with peacemakr-cli and decrypt them on-demand.
Peacemakr Security Features
You just got all of your log files secured using the peacemakr-cli. But, what keys did it use? How does Peacemakr secure those keys?
The peacemakr-cli has a robust key lifecycle management system under the hood. Unlike the ones you can get from a cloud provider, managing the keys is effortless and all the key can be derived on-premise without Peacemakr’s SaaS ever being exposed to key material in the clear. Even if the keys are compromised, we can easily rotate them through the web console (as shown below), to provide forward secrecy. This means all future encryptions will use fresh keys. Otherwise, they will automatically rotate by default once a year.
Cryptoagility, the ability to switch between different crypto algorithms without releasing new software, is also available when you rotate onto new keys, giving users the ability to ditch compromised crypto algorithms without having to release new software.
Finally, a cryptosystem where the easy thing and the right thing are the same things.