GitList
Raw Blame History

layout: post title: "Encrypted remote backup with rsync and dm-crypt: Part 2/2" date: 2013-06-16 14:59 comments: true categories: [server, paranoid, shell] cover: /images/cover/avatar.png keywords: backup, ssh, encrypt, encryption, dm-crypt, luks, dm, linux, security description: Encrypt data safely with dm-crypt

publish: true

So, we have secure remote incremental backup solution here. What about data saved on our backup media (server)? I use dm-crypt -- the standard device-mapper encryption functionality provided by the Linux kernel. I've encrypted my backup partition with an image from my gallery located on my work machine (passphrases could be weak). Learn more about encrypting partitions with a key here. What I need to do before every backup process is to open the encrypted partition. Obviously, after the backup process I close it.

Create encrypted partition

First modprobe kernel module: modprobe dm_mod. We need to create encrypted partition for our sensitive data. Assuming we already have a spare partition you can simply run the command:

cryptsetup -c aes-xts-plain -s 512 luksFormat <volume_to_encrypt> <secret_keyfile>

What does it mean?

  • -c switch: cipher
  • -s switch: key-size in bits
  • volumetoencrypt: for example /dev/sda9
  • secret_keyfile: path to the keyfile

Mount encrypted partition

Now, here's my solution how to do this: {% codeblock open and mount an encrypted partition lang:bash %}{% raw %} scp user-with-sufficient-rights@remote-machine: && ssh user-with-sufficient-rights@remote-machine "cryptsetup luksOpen -d && shred -u -z -n 26 && mkfs.ext4 /dev/mapper/ && mount /mnt/somewhere && echo OK" {% endraw %}{% endcodeblock %}

What does this bloody script mean?

  1. copy the secret key file to user's home directory. I prefer well-known images which you can find easily on the Internet. If you lose your key file, you won't be able to decrypt your encrypted partition.
  2. run script over SSH (using an pubkey for verification)
  3. assuming the remote user is properly configured in sudoers file to run cryptsetup; open an encrypted device /dev/<path-to-encrypted-partition> (for example /dev/sda9) and call it for example "nomoresecrets" (name-of-open-partition). Use copied keyfile as a key.
  4. right after opening the encrypted device be sure to remove the secret keyfile (shred command).
  5. if opening the partition for the first time, you need to format it. Of course, you can choose another filesystem.
  6. mount "nomoresecrets" device. This step require adding a similar line to /etc/fstab: /dev/mapper/<name-of-open-partition> /mnt/somewhere ext4 rw,relatime,data=ordered,barrier=0,user,exec,suid,dev,noauto 0 0

All right, now we can access the encrypted partition, read & write data, whatever.

To sum up, there are two different paths to the encrypted devices. First, e.g. /dev/sda9 (path-to-encrypted-partition) is used only for "luksOpen" operation. Opened device is located in /dev/mapper/ directory. This path is in the script above used for mount, umount and mkfs.

Unmount encrypted partition

Just run these commands on remote machine:

{% codeblock unmount and close encrypted partition %} ssh user-with-sufficient-rights@remote-machine "umount /mnt/somewhere && cryptsetup luksClose /dev/mapper/ && echo OK"

{% endcodeblock %}

Simple, isn't it?