Setting Up An Encrypted Disk

This isn’t part of rsbackup proper, but since you might well want to encrypt your backups, the setup process is sketched here.

Threat Model

The main threat I’m interested in protecting against is that a petty criminal comes into possession of my backup disk either by stealing it from an offsite location, or because I manage to lose it somehow. I don’t want them able to read my email or gain access to website passwords (of which I have far too many to remember, and most of them don’t protect anything especially important).

I’m not especially interested in protecting my backups from the NSA. If an organisation with government-level resources were to take an interest in me, then realistically they have better tools available than stealing my backups.

The reason I document this is that, if you are interested in defending against better-resourced attacks than I am (for instance if you live in a country with a highly repressive government), the details below may not be suitable for you.

The Tools

The device mapper is the Linux kernel’s framework for creating virtual block devices. In this case, we are interested in creating a virtual block device that has the plain text corresponding to encrypted data on a physical block device.

dm-crypt is the low-level means of achieving this: writes to the virtual block device are encrypted and forwarded to the underlying physical device, and similarly reads from the virtual block devices are forwarded to the physical device and the content decrypted. The plain text will not be available if the correct key has not been supplied.

Linux Unified Key Setup (LUKS) is a specific encryption scheme that we’ll use.

cryptsetup is a command line tool we’ll use to set things up.

Setting Up An Encrypted Device

First create the partition to encrypt, using your favourite disk partitioner, lvcreate, or whatever. Any pre-existing contents will be destroyed, so take a backup if there is anything important there. I’ll assume below that the device name for the partition it /dev/sdb1, but obviously you should change this to whatever device you are using.

To create the LUKS data structures and establish a key:

# cryptsetup luksFormat /dev/sdb1

This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

As you can see, you must choose a passphrase. The default encryption key is 128 bits long, so it’s worth using a longer password than the traditional 8 characters, provided you can actually remember it. (A password you can’t remember is no use whatsoever.)

Note: cryptsetup also supports reading the key from a file. If keeping the key file safe somewhere (a couple of well-hidden USB sticks, say) is easier than remembering a suitably long passphrase, that might be more appropriate.

Note: cryptsetup offers a variety of cipher specifications. You may wish to review the available options and consult the cryptsetup FAQ rather than accepting the default.

At this point the encrypted partition exists but does not have any filesystem in it and the underlying plaintext is not accessible. It’s possible to detect the format:

# cat /dev/sdb1 | file -
/dev/stdin: LUKS encrypted file, ver 1 [aes, cbc-essiv:sha256, sha1] UUID: c3ad50a5-a379-4e72-9f92-cacf592

The next step is to create a virtual block device with the plaintext:

# cryptsetup luksOpen /dev/sdb1 backup3
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.
# ls -l /dev/mapper/backup3 
brw-rw---- 1 root disk 254, 7 2010-03-14 15:54 /dev/mapper/backup3

You will need to re-enter the passphrase you chose earlier.

At this point you can create a filesystem:

# mkfs -j -Lbackup3 /dev/mapper/backup3 
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=backup3
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
62336 inodes, 248870 blocks
12443 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=255852544
8 block groups
32768 blocks per group, 32768 fragments per group
7792 inodes per group
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376

Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 29 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

When I did this on a 4TB USB2-attached disk, it took about 40 minutes. So you might want to go away and do something else.

By default the filesystem will be regularly fsck’d. You can suppress this, if you want:

# tune2fs -c0 -i0 /dev/mapper/backup3

It’s now possible to mount the new filesystem:

# mount /dev/mapper/backup3 /mnt
# really ls -l /mnt
total 16
drwx------ 2 root root 16384 2010-03-14 15:55 lost+found
richard@araminta:~$ df -h /mnt
Filesystem             Size  Used Avail Use% Mounted on
/dev/mapper/backup3    957M  1.2M  908M   1% /mnt

So now you can create files, take backups, etc.

Note that just because the disk is encrypted does not imply that other users of the system cannot get at its contents while it’s mounted. The normal file permission rules apply.

To unmount and detach the disk:

# umount /mnt
# cryptsetup luksClose backup3