So, we have secure remote incremental backup solution here. What about data saved on our backup media (server)? I use dm-crypt – the standard device-mapper encryption functionality provided by the Linux kernel. I’ve encrypted my backup partition with an image from my gallery located on my work machine (passphrases could be weak). Learn more about encrypting partitions with a key here. What I need to do before every backup process is to open the encrypted partition. Obviously, after the backup process I close it.
Create encrypted partition
First modprobe kernel module:
We need to create encrypted partition for our sensitive data. Assuming we
already have a spare partition you can simply run the command:
cryptsetup -c aes-xts-plain -s 512 luksFormat <volume_to_encrypt>
What does it mean?
- -c switch: cipher
- -s switch: key-size in bits
- volume_to_encrypt: for example
- secret_keyfile: path to the keyfile
Mount encrypted partition
Now, here’s my solution how to do this:
1 2 3 4 5 6 7 8 9
What does this bloody script mean?
- copy the secret key file to user’s home directory. I prefer well-known images which you can find easily on the Internet. If you lose your key file, you won’t be able to decrypt your encrypted partition.
- run script over SSH (using an pubkey for verification)
- assuming the remote user is properly configured in sudoers file to run
cryptsetup; open an encrypted device
/dev/sda9) and call it for example “no_more_secrets” (
name-of-open-partition). Use copied keyfile as a key.
- right after opening the encrypted device be sure
to remove the secret keyfile (
- if opening the partition for the first time, you need to format it. Of course, you can choose another filesystem.
- mount “no_more_secrets” device. This step require adding a similar line to
/dev/mapper/<name-of-open-partition> /mnt/somewhere ext4 rw,relatime,data=ordered,barrier=0,user,exec,suid,dev,noauto 0 0
All right, now we can access the encrypted partition, read & write data, whatever.
To sum up, there are two different paths to the encrypted devices. First, e.g.
/dev/sda9 (path-to-encrypted-partition) is used only for “luksOpen” operation.
Opened device is located in
/dev/mapper/ directory. This path is in the
script above used for mount, umount and mkfs.
Unmount encrypted partition
Just run these commands on remote machine:
1 2 3 4
Simple, isn’t it?