Background

In my previous entry, I discussed how I used iSCSI to make a hard drive that I have hosted at a friend's home available to as a normal hard drive on my machine. In this article, I'm going to discuss how I used dm-crypt and LUKS to encrypt the remote hard drive for security.

I used the following web sites as references:

• http://www.matthew.ath.cx/articles/cryptkey
• http://madduck.net/docs/cryptdisk/
• http://blog.dlgeek.net/?p=84

Setup

First of all, I needed to install support for encrypted volumes, which is handled by the cryptsetup package in Debian.

> sudo aptitude install cryptsetup

Now, my iSCSI-attached drive is known on my system as sdc. I need to create a partition to use. Using fdisk, I created a single partition that uses the entire disk. This becomes known as sdc1.

Next, I need to format the partition, but since I'm going to use encryption, rather than just a normal ext3 filesystem, I don't use mkfs yet, but first use cryptsetup.

> sudo cryptsetup luksFormat /dev/sdc1

Enter a passphrase at the prompt. I advise you not to forget the password, or else you'll never be able to get at your data.

Now that we have an encrypted volume, we need to make it available via dm-crypt.

> sudo cryptsetup luksOpen /dev/sdc1 sdc1_crypt
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

In this command, we tell cryptsetup to use LUKS to open /dev/sdc1 and name it sdc1_crypt. This name is the Device-Mapper name. If you look in /dev/mapper/, you should see something like this:

> ls -l /dev/mapper/
total 0
crw-rw---- 1 root root  10, 63 2009-02-01 13:45 control
brw-rw---- 1 root disk 253,  0 2009-02-01 13:49 sdc1_crypt

/dev/mapper/sdc1_crypt is now our device that we'll use. We'll need a filesystem on it, as normal:

> sudo mkfs.ext3 /dev/mapper/sdc1_crypt

Now we have a normal block device that can be mounted, read, written and umounted as normal.

As we will be using this drive for unattended backups, we need to create another key that will be used in place of a passphrase.

> sudo cryptsetup luksClose /dev/mapper/sdc1_crypt
> sudo dd if=/dev/urandom of=/etc/keys/sdc1.luks bs=1k count=1
> sudo cryptsetup luksAddKey /dev/sdc1 /etc/keys/sdc1.luks

In step 1, I close the device. This isn't strictly necessary, but we will have the device starting in a closed state below in the Usage section, so I do it here. Step 2 creates a keyfile to use, and in step 3, we are adding that key file to the list of valid keys for our encrypted drive.

That's it. We're all set up. You could remove the passphrase key, but if you do so, make sure you back up the key file somewhere safe, otherwise, you won't be able to recover the data from your offsite backup in the case of needing to recover your entire system.

Usage

To use the encrypted drive, it's just a matter of opening the device, mounting it, using it as normal, then unmounting and closing.

> sudo cryptsetup luksOpen /dev/sdc1 sdc1_crypt --key-file=/etc/keys/sdc1.luks
> sudo mount /dev/mapper/sdc1_crypt /mnt
> $do_backup
> sudo umount /mnt
> sudo cryptsetup luksClose /dev/mapper/sdc1_crypt

That's all. Pretty simple, really.