| e05afa7f |
---
layout: post
title: "Encrypted remote backup with rsync and dm-crypt: Part 2/2"
date: 2013-06-16 14:59
comments: true
categories: [server, paranoid, shell]
cover: /images/cover/avatar.png
keywords: backup, ssh, encrypt, encryption, dm-crypt, luks, dm, linux, security
description: Encrypt data safely with dm-crypt
publish: true
---
So, we have secure remote incremental backup solution
[here](http://blog.cinan.sk/2013/02/20/encrypted-remote-backup-with-rsync-and-dm-crypt-part-1-slash-2/). What about data
saved on our backup media (server)? I use dm-crypt -- the standard device-mapper
encryption functionality provided by the Linux kernel. I've encrypted my backup
partition with an image from my gallery located on my work machine
(passphrases could be weak). Learn more about encrypting partitions with a key
[here](https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Storing_the_Key_File).
What I need to do before every backup process is to open the encrypted
partition. Obviously, after the backup process I close it.
# Create encrypted partition
First modprobe kernel module: ```modprobe dm_mod```.
We need to create encrypted partition for our sensitive data. Assuming we
already have a spare partition you can simply run the command:
```cryptsetup -c aes-xts-plain -s 512 luksFormat <volume_to_encrypt>
<secret_keyfile>```
What does it mean?
- -c switch: cipher
- -s switch: key-size in bits
- volume_to_encrypt: for example ```/dev/sda9```
- secret_keyfile: path to the keyfile
# Mount encrypted partition
Now, here's my solution how to do this:
{% codeblock open and mount an encrypted partition lang:bash %}{% raw %}
scp <path-to-key-file-eg-some-image-or-song-or-something-else>
user-with-sufficient-rights@remote-machine:
&& ssh user-with-sufficient-rights@remote-machine
"cryptsetup luksOpen <path-to-encrypted-partition> <name-of-open-partition>
-d <path-to-key-file>
&& shred -u -z -n 26 <path-to-key-file>
&& mkfs.ext4 /dev/mapper/<name-of-open-partition>
&& mount /mnt/somewhere
&& echo OK"
{% endraw %}{% endcodeblock %}
What does this bloody script mean?
1. copy the secret key file to user's home directory. I prefer well-known images
which you can find easily on the Internet. If you lose your key file, you
won't be able to decrypt your encrypted partition.
2. run script over SSH (using an pubkey for verification)
3. assuming the remote user is properly configured in sudoers file to run
cryptsetup; open an encrypted device
```/dev/<path-to-encrypted-partition>``` (for example ```/dev/sda9```) and call it
for example "no_more_secrets" (```name-of-open-partition```). Use copied keyfile as a key.
4. right after opening the encrypted device be [sure](http://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html)
to remove the secret keyfile (```shred``` command).
5. if opening the partition for the first time, you need to format it. Of course, you can choose
another filesystem.
6. mount "no_more_secrets" device. This step require adding a similar line to
/etc/fstab:
```/dev/mapper/<name-of-open-partition> /mnt/somewhere ext4 rw,relatime,data=ordered,barrier=0,user,exec,suid,dev,noauto 0 0```
All right, now we can access the encrypted partition, read & write data,
whatever.
To sum up, there are two different paths to the encrypted devices. First, e.g.
```/dev/sda9``` (path-to-encrypted-partition) is used only for "luksOpen" operation.
Opened device is located in ```/dev/mapper/``` directory. This path is in the
script above used for mount, umount and mkfs.
# Unmount encrypted partition
Just run these commands on remote machine:
{% codeblock unmount and close encrypted partition %}
ssh user-with-sufficient-rights@remote-machine
"umount /mnt/somewhere
&& cryptsetup luksClose /dev/mapper/<name-of-open-partition>
&& echo OK"
{% endcodeblock %}
Simple, isn't it? |