While this article focuses on iSCSI volumes, it also applies for regular directly attached block devices. If you are in doubt on how to export and attach an iSCSI volume over Internet, you can review the “Secure iSCSI setup via an SSH tunnel on Linux” article.
Locally encrypting a remote iSCSI volume with TrueCrypt has the following advantages:
- You don’t need to trust the administrators of the remote machine — they cannot see your files because you are using their storage in a locally encrypted format. Thus your private data is completely safe, as long as your encryption password/key is strong enough.
- You have the option to temporarily mount the exported iSCSI volume on the remote server, if you are the owner of the remote server and know the encryption password/key. This is handy if you want to make a local copy of a file from the backup volume without storing the encryption password on the remote server.
- TrueCrypt is cross-platform (Windows / Mac OS X / Linux), fast, free, and open-source.
Download and install TrueCrypt
You need to install TrueCrypt wherever you are going to use it — on the client machine and optionally on the server.
# Download the distribution file from the official page: # http://www.truecrypt.org/downloads # Linux -> Console-only (choose 32-bit or 64-bit depending on your local Linux installation) tar -zxf truecrypt-7.1a-linux-console-x86.tar.gz # 32-bit in this example sudo ./truecrypt-7.1a-setup-console-x86 truecrypt --version #>> TrueCrypt 7.1a
Encrypt an iSCSI volume with TrueCrypt
The instructions below assume that the iSCSI volume is attached under “/dev/sdb“. The output of the commands is quoted with “#>>”.
# Encrypt the iSCSI volume sudo truecrypt -t --create /dev/sdb --volume-type=normal --encryption=AES --hash=RIPEMD-160 --filesystem=ext4 --quick -k "" # Mount the *volume* (there is no file-system, yet) sudo truecrypt --filesystem=none -k "" --protect-hidden=no /dev/sdb # Check that a new "dm-0" device with the same size appeared cat /proc/partitions #>> major minor #blocks name #>> ... #>> 8 16 83886080 sdb #>> 252 0 83885824 dm-0 # Double-check that this is a TrueCrypt volume ls -la /dev/mapper/truecrypt1 # /dev/mapper/truecrypt1 -> ../dm-0 # Create a file-system. # This takes about 30 min for a 80 GB volume @ 1 MBit Internet connection. sudo mkfs.ext4 /dev/mapper/truecrypt1 # You can now mount and use /dev/mapper/truecrypt1 in any mount-point, as # this is a regular block device with an ext4 file-system. # Remember to unmount it when you are done. mount /dev/mapper/truecrypt1 /mnt ls -la /mnt umount /mnt # Unmount the encrypted *volume*. # Make sure that you have ALREADY unmounted the file-system! sync sudo truecrypt -d /dev/xvdf
Mount an encrypted iSCSI volume locally on the remote server
The output of the commands is quoted with “#>>”.
# The local block device is "/dev/xvdf" cat /proc/partitions #>> major minor #blocks name #>> ... #>> 202 80 83886080 xvdf # # MAKE SURE that no iSCSI clients are using the volume now # # Mount an encrypted volume (/dev/xvdf). # The unencrypted volume will be presented under a different device name (/dev/mapper/truecrypt1). sudo truecrypt --filesystem=none -k "" --protect-hidden=no /dev/xvdf # Mount the file-system sudo mount /dev/mapper/truecrypt1 /mnt # Access the encrypted files ls -la /mnt # Unmount the file-system sudo umount /mnt # Unmount the encrypted volume (/dev/mapper/truecrypt1 -> /dev/xvdf). # Make sure that you have ALREADY unmounted the file-system! sudo truecrypt -d /dev/xvdf