Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Featured, Security

Encrypting Log Data During Log Rotation

Submitted by on April 9, 2019 – 4:12 pm

Most log files do not contain personally-identifiable information or other sensitive data. And even if they do, encryption of all personal data is not mandatory under GDPR. Still, on occasion, for testing and troubleshooting purposes you may want to log potentially sensitive information. It would be a very good idea not to let these logs get away from you.

You can certainly run the encryption process separately from log rotation via cron or some such. But this would be an extra step with extra problems. You can actually use logrotate directly to handle encryption. Basically, you will tell logrotate use gpg instead of the usual gzip.

Here’s an example of my /etc/logrotate.d/squid:

[su_spoiler title=”Expand” icon=”arrow-circle-1″] [/su_spoiler]

[su_box title=”Older kernels warning” box_color=”#ff6600″] [su_spoiler title=”Expand” icon=”arrow-circle-1″]

Kernels with logrotate version prior to 3.8 have an issue with the compressoptions not taking spaces. There’s a simple workaround, though: create a script that contains the command (such us gpg) and all the options and put it in /usr/bin/gpg-logrotate (don’t forget to make it executable, obviously):

However, since log rotation runs via cron you would either need to source root profile (along with GPG keys), or temporarily extract the relevant GPG key ID to be used for encryption. From a security standpoint, the latter is safer. Here’s what your gpg-logrotate script may look like in this case:

And then the logrotate config file from the example above would look like this:

[/su_spoiler][/su_box]

Following log rotation, you should see something like this in the log destination:

[su_box title=”Log rotation frequency” box_color=”#ff6600″]

By default, log rotation process would run once a day. This is fine if you specified daily or weekly in your config. If you want to run the process hourly, you would need to copy /etc/cron.daily/logrotate into /etc/cron.hourly/ directory. Naturally, in your logrotate config file you would also need to specify hourly with the desired retention period.

[/su_box]

And, I guess, a couple of words on how to set up gpg and keys. If you have an existing key, copy the public portion of it to your server and add it to the keyring:

You can then list all the keys on your server:

If you don’t already have a key, you should create a passphrase-protected key. It is also a good idea not to keep the private half of the key on the server.

[su_spoiler title=”Generating new key” icon=”arrow-circle-1″]

In the following example we create a new passphrase-protected non-expiring private key.

You see the key you just created:

[/su_spoiler]

As I mentioned, you shouldn’t be keeping your private key on the server. Generate the key on a less-exposed machine, extract the public key, and import it on your server. Here’s an example:

[su_spoiler title=”Expand” icon=”arrow-circle-1″] [/su_spoiler]

 

Print Friendly, PDF & Email

Leave a Reply