Browse code
New article: encryption 2/2
Cinan Rakosnik authored on 16/06/2013 at 13:47:58Showing 2 changed files
- source/_posts/2013-02-20-encrypted-remote-backup-with-rsync-and-dm-crypt-part-1-slash-2.markdown
- source/_posts/2013-06-16-encrypted-remote-backup-with-rsync-and-dm-crypt-part-2-slash-2.markdown
| ... | ... |
@@ -139,4 +139,4 @@ ssh backup@cinan.remote "mv incomplete_backup-$date backup-$date && rm -rf curre |
| 139 | 139 |
|
| 140 | 140 |
# I want my data encrypted |
| 141 | 141 |
|
| 142 |
-Check out 2/2 part. |
|
| 142 |
+Check out [2/2 part](http://blog.cinan.sk/2013/06/16/encrypted-remote-backup-with-rsync-and-dm-crypt-part-2-slash-2/). |
| 143 | 143 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,91 @@ |
| 0 |
+--- |
|
| 1 |
+layout: post |
|
| 2 |
+title: "Encrypted remote backup with rsync and dm-crypt: Part 2/2" |
|
| 3 |
+date: 2013-06-16 14:59 |
|
| 4 |
+comments: true |
|
| 5 |
+categories: [server, paranoid, shell] |
|
| 6 |
+cover: /images/cover/avatar.png |
|
| 7 |
+keywords: backup, ssh, encrypt, encryption, dm-crypt, luks, dm, linux, security |
|
| 8 |
+description: Encrypt data safely with dm-crypt |
|
| 9 |
+publish: true |
|
| 10 |
+--- |
|
| 11 |
+ |
|
| 12 |
+So, we have secure remote incremental backup solution |
|
| 13 |
+[here](http://blog.cinan.sk/2013/02/20/encrypted-remote-backup-with-rsync-and-dm-crypt-part-1-slash-2/). What about data |
|
| 14 |
+saved on our backup media (server)? I use dm-crypt -- the standard device-mapper |
|
| 15 |
+encryption functionality provided by the Linux kernel. I've encrypted my backup |
|
| 16 |
+partition with an image from my gallery located on my work machine |
|
| 17 |
+(passphrases could be weak). Learn more about encrypting partitions with a key |
|
| 18 |
+[here](https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Storing_the_Key_File). |
|
| 19 |
+What I need to do before every backup process is to open the encrypted |
|
| 20 |
+partition. Obviously, after the backup process I close it. |
|
| 21 |
+ |
|
| 22 |
+# Create encrypted partition |
|
| 23 |
+ |
|
| 24 |
+First modprobe kernel module: ```modprobe dm_mod```. |
|
| 25 |
+We need to create encrypted partition for our sensitive data. Assuming we |
|
| 26 |
+already have a spare partition you can simply run the command: |
|
| 27 |
+ |
|
| 28 |
+```cryptsetup -c aes-xts-plain -s 512 luksFormat <volume_to_encrypt> |
|
| 29 |
+<secret_keyfile>``` |
|
| 30 |
+ |
|
| 31 |
+What does it mean? |
|
| 32 |
+ |
|
| 33 |
+- -c switch: cipher |
|
| 34 |
+- -s switch: key-size in bits |
|
| 35 |
+- volume_to_encrypt: for example ```/dev/sda9``` |
|
| 36 |
+- secret_keyfile: path to the keyfile |
|
| 37 |
+ |
|
| 38 |
+# Mount encrypted partition |
|
| 39 |
+ |
|
| 40 |
+Now, here's my solution how to do this: |
|
| 41 |
+{% codeblock open and mount an encrypted partition lang:bash %}{% raw %}
|
|
| 42 |
+scp <path-to-key-file-eg-some-image-or-song-or-something-else> |
|
| 43 |
+user-with-sufficient-rights@remote-machine: |
|
| 44 |
+&& ssh user-with-sufficient-rights@remote-machine |
|
| 45 |
+"cryptsetup luksOpen <path-to-encrypted-partition> <name-of-open-partition> |
|
| 46 |
+-d <path-to-key-file> |
|
| 47 |
+&& shred -u -z -n 26 <path-to-key-file> |
|
| 48 |
+&& mkfs.ext4 /dev/mapper/<name-of-open-partition> |
|
| 49 |
+&& mount /mnt/somewhere |
|
| 50 |
+&& echo OK" |
|
| 51 |
+{% endraw %}{% endcodeblock %}
|
|
| 52 |
+ |
|
| 53 |
+What does this bloody script mean? |
|
| 54 |
+ |
|
| 55 |
+1. copy the secret key file to user's home directory. I prefer well-known images |
|
| 56 |
+ which you can find easily on the Internet. If you lose your key file, you |
|
| 57 |
+ won't be able to decrypt your encrypted partition. |
|
| 58 |
+2. run script over SSH (using an pubkey for verification) |
|
| 59 |
+3. assuming the remote user is properly configured in sudoers file to run |
|
| 60 |
+ cryptsetup; open an encrypted device |
|
| 61 |
+ ```/dev/<path-to-encrypted-partition>``` (for example ```/dev/sda9```) and call it |
|
| 62 |
+ for example "no_more_secrets" (```name-of-open-partition```). Use copied keyfile as a key. |
|
| 63 |
+4. right after opening the encrypted device be [sure](http://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html) |
|
| 64 |
+ to remove the secret keyfile (```shred``` command). |
|
| 65 |
+5. if opening the partition for the first time, you need to format it. Of course, you can choose |
|
| 66 |
+ another filesystem. |
|
| 67 |
+6. mount "no_more_secrets" device. This step require adding a similar line to |
|
| 68 |
+ /etc/fstab: |
|
| 69 |
+ ```/dev/mapper/<name-of-open-partition> /mnt/somewhere ext4 rw,relatime,data=ordered,barrier=0,user,exec,suid,dev,noauto 0 0``` |
|
| 70 |
+ |
|
| 71 |
+All right, now we can access the encrypted partition, read & write data, |
|
| 72 |
+whatever. |
|
| 73 |
+ |
|
| 74 |
+To sum up, there are two different paths to the encrypted devices. First, e.g. |
|
| 75 |
+ ```/dev/sda9``` (path-to-encrypted-partition) is used only for "luksOpen" operation. |
|
| 76 |
+Opened device is located in ```/dev/mapper/``` directory. This path is in the |
|
| 77 |
+script above used for mount, umount and mkfs. |
|
| 78 |
+ |
|
| 79 |
+# Unmount encrypted partition |
|
| 80 |
+Just run these commands on remote machine: |
|
| 81 |
+ |
|
| 82 |
+{% codeblock unmount and close encrypted partition %}
|
|
| 83 |
+ssh user-with-sufficient-rights@remote-machine |
|
| 84 |
+"umount /mnt/somewhere |
|
| 85 |
+&& cryptsetup luksClose /dev/mapper/<name-of-open-partition> |
|
| 86 |
+&& echo OK" |
|
| 87 |
+ |
|
| 88 |
+{% endcodeblock %}
|
|
| 89 |
+ |
|
| 90 |
+Simple, isn't it? |