codeblog code is freedom — patching my itch

7/29/2006

encrypted network filesystems

Filed under: Networking,Security — kees @ 11:59 am

I run a machine in a colo across the country from me, and I wanted to have some backups closer to the machine. So I signed up for a NAS login with my provider. Since I didn’t want to leave all my files sitting on their disks in the clear, I built up an encrypted volume over the network. It’s not fast, but it works.

Here were the setup steps:

  1. mkdir -p /mnt/nas-raw /mnt/backups
  2. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  3. modprobe loop && sleep 2
  4. dd if=/dev/zero of=/mnt/nas-raw/volume bs=32k
  5. losetup /dev/loop0 /mnt/nas-raw/volume
  6. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc-essiv:sha256
  7. Type volume pass-phrase
  8. mkfs.ext3 /dev/mapper/crypt-backups
  9. mount /dev/mapper/crypt-backups /mnt/backups

To unmount it:

  1. umount /mnt/backups
  2. cryptsetup remove crypt-backups
  3. losetup -d /dev/loop0
  4. umount /mnt/nas-raw

And then to remount it later:

  1. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  2. modprobe loop && sleep 2
  3. losetup /dev/loop0 /mnt/nas-raw/volume
  4. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc–essiv:sha256
  5. Type volume pass-phrase
  6. mount /dev/mapper/crypt-backups /mnt/backups

By scripting the “remount” steps, I can actually echo the volume password into an ssh connection:

echo ‘my volume pass-phrase here’ | ~/bin/do-crypto-mount
ssh root@colo.machine.isp “/etc/dirvish/dirvish-cronjob && df -h /mnt/backups”
~/bin/do-crypto-umount

Very handy!

Update: I added the --cipher option to include the essiv type, which should be used.

© 2006 – 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

2 Comments »

  1. Note to self:

    It’s much faster (especially on a NAS) to allocate the loopback volume using “truncate” instead of a full “dd”. A sparse file can be created and the loop device will still do the right thing. This command will make a 10G file named “volume”:

    perl -e ‘open(FILE,”>$ARGV[0]”); seek(FILE,$ARGV[1],0); truncate(FILE,$ARGV[1]);’ \
    volume $(( 10 * 1024 * 1024 * 1024 ))

    Comment by kees — 12/25/2006 @ 9:57 am

  2. Note to self: dd can do sparse files too:

    dd if=/dev/null of=test bs=1 seek=1G

    Comment by kees — 4/22/2009 @ 8:30 am

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress