--- layout: post title: "Encrypted remote backup with rsync and dm-crypt: Part 2/2" date: 2013-06-16 14:59 comments: true categories: [server, paranoid, shell] cover: /images/cover/avatar.png keywords: backup, ssh, encrypt, encryption, dm-crypt, luks, dm, linux, security description: Encrypt data safely with dm-crypt publish: true --- So, we have secure remote incremental backup solution [here](http://blog.cinan.sk/2013/02/20/encrypted-remote-backup-with-rsync-and-dm-crypt-part-1-slash-2/). What about data saved on our backup media (server)? I use dm-crypt -- the standard device-mapper encryption functionality provided by the Linux kernel. I've encrypted my backup partition with an image from my gallery located on my work machine (passphrases could be weak). Learn more about encrypting partitions with a key [here](https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Storing_the_Key_File). What I need to do before every backup process is to open the encrypted partition. Obviously, after the backup process I close it. # Create encrypted partition First modprobe kernel module: ```modprobe dm_mod```. We need to create encrypted partition for our sensitive data. Assuming we already have a spare partition you can simply run the command: ```cryptsetup -c aes-xts-plain -s 512 luksFormat <volume_to_encrypt> <secret_keyfile>``` What does it mean? - -c switch: cipher - -s switch: key-size in bits - volume_to_encrypt: for example ```/dev/sda9``` - secret_keyfile: path to the keyfile # Mount encrypted partition Now, here's my solution how to do this: {% codeblock open and mount an encrypted partition lang:bash %}{% raw %} scp <path-to-key-file-eg-some-image-or-song-or-something-else> user-with-sufficient-rights@remote-machine: && ssh user-with-sufficient-rights@remote-machine "cryptsetup luksOpen <path-to-encrypted-partition> <name-of-open-partition> -d <path-to-key-file> && shred -u -z -n 26 <path-to-key-file> && mkfs.ext4 /dev/mapper/<name-of-open-partition> && mount /mnt/somewhere && echo OK" {% endraw %}{% endcodeblock %} What does this bloody script mean? 1. copy the secret key file to user's home directory. I prefer well-known images which you can find easily on the Internet. If you lose your key file, you won't be able to decrypt your encrypted partition. 2. run script over SSH (using an pubkey for verification) 3. assuming the remote user is properly configured in sudoers file to run cryptsetup; open an encrypted device ```/dev/<path-to-encrypted-partition>``` (for example ```/dev/sda9```) and call it for example "no_more_secrets" (```name-of-open-partition```). Use copied keyfile as a key. 4. right after opening the encrypted device be [sure](http://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html) to remove the secret keyfile (```shred``` command). 5. if opening the partition for the first time, you need to format it. Of course, you can choose another filesystem. 6. mount "no_more_secrets" device. This step require adding a similar line to /etc/fstab: ```/dev/mapper/<name-of-open-partition> /mnt/somewhere ext4 rw,relatime,data=ordered,barrier=0,user,exec,suid,dev,noauto 0 0``` All right, now we can access the encrypted partition, read & write data, whatever. To sum up, there are two different paths to the encrypted devices. First, e.g. ```/dev/sda9``` (path-to-encrypted-partition) is used only for "luksOpen" operation. Opened device is located in ```/dev/mapper/``` directory. This path is in the script above used for mount, umount and mkfs. # Unmount encrypted partition Just run these commands on remote machine: {% codeblock unmount and close encrypted partition %} ssh user-with-sufficient-rights@remote-machine "umount /mnt/somewhere && cryptsetup luksClose /dev/mapper/<name-of-open-partition> && echo OK" {% endcodeblock %} Simple, isn't it?