tutorial - encryption with LUKS of an iSCSI backup device

dethegeek · 2. Juli 2013

Hi

I'm searching for a backup solution on a remote site, and I am concerned about privacy. Thanks to OMV and his debian basis, I tried in a lab environment to connect two OMV servers and backup the first on the second. If I find a friend who wants to try it in the real world, both OMV servers will backup each other (as long as there are enough SATA interfaces to build quite large RAID arrays and logical volumes !)

Backups do not need a fast network after the first sync, but if a disaster occurs, downloading all the data will take a long time. Beware about the need to keep the encryption key in a safe place, far from the server to backup !

1 - LAB description

1 OMV 0.4.32 for data storage (hostname omv-filer)
1 OMV 0.4.32 for backup
A network between both OMV

1.1 - Settings
The file server's hostname is omv-filer
The backup server's hostname is omv-backup, his IP is 192.168.0.30

2 - On the omv-filer (the file server)

2.1 - Install the iscsi target
Login into the server's OMV GUI. In System, click on Plugins. Click on the plugin openmediavault-iscsitarget and click on the button Install.
Reload the web interface to apply changes.

Go in Services, iSCSI Target. Tick Enable and apply.

2.2 - Configure discovery with mutual CHAP authentication

Note : the two credentials below MUST be different. Choose different usernames and different passwords.

Click in Services on iSCSI Target. Click on the button Add in Discovery Authentication. In Transfer Mode choose Incoming and add the username discoverinuser and his password discoverinpass. Click on OK.

Click again on Add. In Transfer Mode choose Outgoing and add the username discoveroutuser and his password discoveroutpass. Click on OK.

2.3 - Create the target

Go in Services, iSCSI Target. Choose the tab Targets and click on the button Add.

Fill the form as the following :

Identifier : backup

Open the Authenticatin tab and create two users for mutual authentication. These credentials will be used for opening a session on the target.

Transfer mode : Incoming
username : targetinuser
Transfer mode : targetinpass

Transfer mode : Outgoing
username : targetoutuser
Transfer mode : targetoutpass

In the LUN tab choose one or several devices which will be accessed through the target.

Apply your changes.

3 - On the omv-backup (the backup server)

3.1 - install the iSCSI initiator
Open a local or remote command line interface and installe the package open-iscsi.

Type the following command apt-get install open-iscsi.

Edit the file /etc/iscsi/iscsid.conf.

Code

node.startup = automatic

3.2 - discover the targets

Edit the file /etc/iscsi/iscsid.conf. and change the following lines :

Code

# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP


# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = discoverinuser
discovery.sendtargets.auth.password = discoverinpass


# To set a discovery session CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
discovery.sendtargets.auth.username_in = discoveroutuser
discovery.sendtargets.auth.password_in = discoveroutuserpass

Alles anzeigen

Try to discover the targets :

Code

omv-filer:~# iscsiadm -m discovery -t st -p 192.168.0.30
192.168.0.30:3260,1 iqn.2013-06.fr.domain.omv-backup:backup

The initiators knows nearly all about the target. Edit the generated configuration files with the following commands to set the credentials for the target :

Code

omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.authmethod -v CHAP
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.username -v targetinuser
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.password -v targetinpass
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.username_in -v targetinuser
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.password_in -v targetinpass

Try to open a session on the target.

Code

omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -l

If the command succeeded, you will see a new device :

Code

omv-filer:~# ls -l /dev/sd*
brw-rw---- 1 root disk 8,  0  1 juil. 13:45 /dev/sda
brw-rw---- 1 root disk 8,  1  1 juil. 13:45 /dev/sda1
brw-rw---- 1 root disk 8,  2  1 juil. 13:45 /dev/sda2
brw-rw---- 1 root disk 8,  5  1 juil. 13:45 /dev/sda5
brw-rw---- 1 root disk 8, 16  1 juil. 13:45 /dev/sdb
brw-rw---- 1 root disk 8, 17  1 juil. 13:45 /dev/sdb1
brw-rw---- 1 root disk 8, 32  1 juil. 13:45 /dev/sdc
brw-rw---- 1 root disk 8, 33  1 juil. 13:45 /dev/sdc1

Now enable automatic logon on this target

Code

omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.startup -v automatic

3.3 - Create a volume

You may create a RAID array or a logical volume or simply a partition. Encryption will apply on this volume.

Code

omv-filer:~# parted /dev/sdc
GNU Parted 2.3
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
Warning: The existing disk label on /dev/sdc will be destroyed and all data on
this disk will be lost. Do you want to continue?
Yes/No? yes
(parted) mkpart primary ext4 1M 100%
(parted) p
Model: IET VIRTUAL-DISK (scsi)
Disk /dev/sdc: 5369MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt


Number  Start   End     Size    File system  Name     Flags
 1      1049kB  5368MB  5367MB               primary


(parted) q
Information: You may need to update /etc/fstab.

Alles anzeigen

3.4 - Encryption configuration

Install cryptsetup

Code

omv-filer:~# apt-get install cryptsetup

Overwrite the full device with random data. A zero'ed device will make a weaker encryption. This step will need a very long time depending on his size and the speed of your network with the remote server. It is more efficient to do it from a command line on the backup server itself.

Code

omv-filer:~# dd if=/dev/urandom of=/dev/sdc1 bs=1M

To follow the overwrite progress you may use these commands. Simply replace <dd pid> by the process ID found by ps :

Code

omv-filer:~# ps -ef |grep dd
omv-filer:~# kill -USR1 <pid dd>

Create a key to open your encrypted device. This will need some time.

Code

omv-filer:~# mkdir /etc/keys
omv-filer:~# dd if=/dev/random of=/etc/keys/sdc1_key bs=1 count=42
omv-filer:~# chmod go-rwx /etc/keys/sdc1_key

Create the volume encryption header with the key :

Code

omv-filer:~# cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 luksFormat /dev/sdc1 /etc/keys/sdc1_key


WARNING!
========
Cette action écrasera définitivement les données sur /dev/sdc1.


Are you sure? (Type uppercase yes): YES

Open the encrypted volume :

Code

omv-filer:~# cryptsetup luksOpen /dev/sdc1 backupcrypted --key-file /etc/keys/sdc1_key

Check the encrypted volume is available

Code

omv-filer:~# ls /dev/mapper/
lrwxrwxrwx 1 root root      7 30 juin  19:36 backupcrypted -> ../dm-0
crw------- 1 root root 10, 59 30 juin  10:23 control

Find the UUID of the encrypted volume

Code

omv-filer:~# blkid
/dev/sda1: UUID="de2d538e-3929-4f46-abe1-a0cdde3abe35" TYPE="ext4"
/dev/sda5: UUID="94946e4d-11a4-411e-b667-51602afbdab6" TYPE="swap"
/dev/sdb1: LABEL="data" UUID="162efbed-45e3-40cc-87a0-28ba2966a51e" TYPE="ext4"
/dev/sdc1: UUID="ad0bca32-9393-40b4-ae1a-142ed8f374fc" TYPE="crypto_LUKS"

Edit /etc/crypttab and add a line similar to this one :

Code

backupcrypted UUID=ad0bca32-9393-40b4-ae1a-142ed8f374fc /etc/keys/sdc1_key luks

3.5 - format the encrypted volume

Create a filesystem on the encrypted volume

Code

omv-filer:~# mkfs.ext4 /dev/mapper/backupcrypted

Mount the encrypted volume in the GUI of omv-filer.

Get the UUID of the encrypted volume :

Code

omv-filer:~# blkid
/dev/sda1: UUID="de2d538e-3929-4f46-abe1-a0cdde3abe35" TYPE="ext4"
/dev/sda5: UUID="94946e4d-11a4-411e-b667-51602afbdab6" TYPE="swap"
/dev/sdb1: LABEL="data" UUID="162efbed-45e3-40cc-87a0-28ba2966a51e" TYPE="ext4"
/dev/sdc1: UUID="ad0bca32-9393-40b4-ae1a-142ed8f374fc" TYPE="crypto_LUKS"
/dev/mapper/backupcrypted: UUID="9aa2e503-dc13-4030-973c-f354f7c045f6" TYPE="ext4"

Edit /etc/openmediavault/config.xml and find the UUID of the encrypted volume. Edit the section <mntent /> to add the options nofail and _netdev.

Code

<mntent>
        <uuid>01ad35b5-2680-483d-af92-ae93526e3959</uuid>
        <fsname>9aa2e503-dc13-4030-973c-f354f7c045f6</fsname>
        <dir>/media/9aa2e503-dc13-4030-973c-f354f7c045f6</dir>
        <type>ext4</type>
        <opts>defaults,acl,user_xattr,noexec,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0,nofail,_netdev</opts>
        <freq>0</freq>
        <passno>2</passno>
      </mntent>

Open /etc/fstab and add the same options :

Code

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# >>> [openmediavault]
UUID=9aa2e503-dc13-4030-973c-f354f7c045f6 /media/9aa2e503-dc13-4030-973c-f354f7c045f6 ext4 defaults,acl,user_xattr,noexec,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0,nofail,_netdev 0 2
# <<< [openmediavault]

3.6 - automount the encrypted volume

Create the file /etc/init.d/cryptdisks-late. Add the following content :

Code

#! /bin/sh
### BEGIN INIT INFO
# Provides:          cryptdisks-late
# Required-Start:    checkroot
# Required-Stop:     umountroot
# Should-Start:      udev mdadm-raid lvm2 open-iscsi
# Should-Stop:       udev mdadm-raid lvm2 open-iscsi
# X-Start-Before:
# X-Stop-After:
# X-Interactive:     true
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Setup late encrypted block devices.
# Description:
### END INIT INFO


iscsiUUIDList="ad0bca32-9393-40b4-ae1a-142ed8f374fc"
maxTries=3


do_start () {
        local iscsiUUID stopWaiting tries iscsiUUIDFound cryptedvol
        # try to open all encrypted volumes
        if [ -f /etc/crypttab ]
        then
                if [ -r /etc/crypttab ]
                then
                        for iscsiUUID in $iscsiUUIDList
                        do
                                echo "checking /dev/disk/by-uuid/$iscsiUUID ..."
                                stopWaiting=0
                                tries=0
                                iscsiUUIDFound=0
                                while [ $stopWaiting -eq 0 ]
                                do
                                        tries=`expr $tries + 1`
                                        if [ -e /dev/disk/by-uuid/$iscsiUUID ]
                                        then
                                                stopWaiting=1
                                                iscsiUUIDFound=1
                                                echo "device $iscsiUUID found"
                                        else
                                                if [ $tries -gt $maxTries ]
                                                then
                                                        stopWaiting=1
                                                        echo "device $iscsiUUID not found after $maxTries tries; giving up"
                                                else
                                                        echo "Tried $tries out of $maxTries waiting a second..."
                                                        sleep 1s
                                                fi
                                        fi
                                done
                                if [ $iscsiUUIDFound -eq 1 ]
                                then
                                        echo "finding in /etc/crypttab the mapped device name for $iscsiUUID"
                                        cryptedvol=$(tail -n +2 /etc/crypttab | grep $iscsiUUID | cut -f 1)
                                        # try to open the volume found in /etc/crypttab
                                        echo "trying to open $cryptedvol"
                                        cryptdisks_start $cryptedvol
                                        if [ $? -eq 0 ]
                                        then
                                                # try to mount once, if it exists un /etc/fstab
                                                echo "trying to mount the crypted volume $cryptedvol"
                                                mount /dev/mapper/$cryptedvol
                                                if [ $? -ne 0 ]
                                                then
                                                        echo "Could not mount $cryptedvol"
                                                fi
                                        else
                                                echo "Could not open encrypted volume with cryptdis_start"
                                        fi
                                fi
                        done
                fi
        fi
}


do_stop () {
        local iscsiUUID stopWaiting tries iscsiUUIDFound cryptedvol
        # try to open all encrypted volumes
        if [ -f /etc/crypttab ]
        then
                if [ -r /etc/crypttab ]
                then
                        for iscsiUUID in $iscsiUUIDList
                        do
                                echo "checking /dev/disk/by-uuid/$iscsiUUID ..."
                                stopWaiting=0
                                tries=0
                                iscsiUUIDFound=0
                                while [ $stopWaiting -eq 0 ]
                                do
                                        tries=`expr $tries + 1`
                                        if [ -e /dev/disk/by-uuid/$iscsiUUID ]
                                        then
                                                stopWaiting=1
                                                iscsiUUIDFound=1
                                                echo "device $iscsiUUID found"
                                        fi
                                done
                                if [ $iscsiUUIDFound -eq 1 ]
                                then
                                        echo "finding in /etc/crypttab the mapped device name for $iscsiUUID"
                                        cryptedvol=$(tail -n +2 /etc/crypttab | grep $iscsiUUID | cut -f 1)
                                        # try to unmount the volume found in /etc/crypttab
                                        echo "trying to unmount the crypted volume $cryptedvol"
                                        umount /dev/mapper/$cryptedvol
                                        if [ $? -eq 0 ]
                                        then
                                                # try to close the crypted volume
                                                echo "trying to close the crypted volume $cryptedvol"
                                                cryptdisks_stop $cryptedvol
                                                if [ $? -ne 0 ]
                                                then
                                                        echo "Could not close $cryptedvol"
                                                fi
                                        else
                                                echo "Could not unmount encrypted volume with umount"
                                        fi
                                fi
                        done
                fi
        fi
}


case "$CRYPTDISKS_ENABLE" in
[Nn]*)
        exit 0
        ;;
esac


case "$1" in
start)
        do_start
        ;;
stop)
        do_stop
        ;;
restart|reload|force-reload)
        do_stop
        do_start
        ;;
force-start)
        FORCE_START="yes"
        do_start
        ;;
*)
        echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}"
        exit 1
        ;;
esac

Alles anzeigen

The variable iscsiUUIDList is a space separated list of iSCSI volumes encrypted by LUKS. The script tries several times to find the iSCSI volume, and if it is found, opens it with cryptsetup. Finally the encrypted volume is mounted with mount. Cryptsetup uses /etc/crypttab and mount uses /etc/fstab.

Edit the iscsiUUIDList with the UUIDs of the iSCSI volumes as they appear with blkid after opening a session on the iSCSI targets.

Make the script executable and setup it as a service:

Code

omv-filer:~# chmod +x /etc/init.d/cryptdisks-late
omv-filer:~# update-rc.d cryptdisks-late defaults

Restart the system to check the encrypted volumes are automatically mounted.

Use the backup solution of your choice to backup the local volumes on the remote encrypted volume.

dethegeek · 2. Juli 2013

(reserved)

dethegeek · 2. Juli 2013

(reserved)

Jetzt mitmachen!