Hardening Debian - Partitioning Scheme

Here are the list of identified threats related to partitioning scheme.

When the operating system enters a situation where it must be freshly reinstalled, all user-specific data and system configurations can be completely wiped out together with the operating system.

When a data disk is detached from the system and lost it, the retriever can access to the data at rest by connecting the lost disk to an external connector. Hence, this permits data extractions from the said detached physical disks.

While being limited by various physical disk space itself, one can bloats the total storage easily. Example, say there are 2 TB of disk storage available by 2 1TB disks, one needs to split the data into 2 1TB partition.

When physical disks are used heavily, they can go fatigue and failed immediately, resulting in a complete loss of data stored inside the disk of a production system, on the run, without shutting the production system down.

When the entire server is loss due to unpredictable colossal damages like Act of God, all data inside the entire production system are now deemed permanently lost. Hence, there is no way to recover those data.

Hence, to mitigate all the problems above, there are some solutions mentioned below.

This way:

1. RAID scheme such as RAID1 ensures the data are stored safely and redundantly across multiple disks known as "disk clusters", protecting against T-05 threat when the production system is running.
2. Optionally, having LVM on top of RAID allows multiple disk clusters under a single Debian operating system.
3. For each disk clusters, it must be encrypted using LUKS with correct partition scheme like AES-XTS 256-bits and above encryption. This is called the "encrypted partition". This provides a protection mechanism against T-03 threat when done correctly.
4. Inside each encrypted partitions, there is a LVM to manage the disk space in a flexible manner called "logical volume". This provides a mechanism against T-04 threat.
5. The logical volume is the one being used by users or the operating system, which can be formatted to the desired filesystem format such as EXT4.