An encrypted network drive: using iscsi
The motivation is to backup data on a server and encrypt them on the fly. One FreeBSD Webserver and a local linux system is the base setup for this test, which finally worked out quiet well: I was able to create an encrypted network device, which gets decrypted on the local machine.
The FreeBSD Server
Setup remote freebsd machine:
portal-group pg0 {
discovery-auth-group no-authentication
listen 127.0.0.1
listen [::1]
}
target iqn.2012-06.com.example:target0 {
auth-group no-authentication
portal-group pg0
lun 0 {
path /home/max/nbd-test.raw
size 512M
}
}
append rc.conf
with:
ctld_enable="YES"
iscsid_enable="YES"
start both:
service ctld reload
service iscsi reload
The Linux Host
Connect to the freebsd server and redirect port 3260 (over which iscsi
works). After that the remote iscsi device is available locally and that
is why I have used 127.0.0.1
and [::1]
(for ipv6) in the
/etc/ctl.conf
. The device gets created under /dev/
, is initialized
by luksFormat, gets a device node under mapper, which gets the
unencrypted version of the device, on which i finally created an ext3
file system (which might not be the best choice)
ssh -L 3260:localhost:3260 [freebsd-server-ip]
iscsiadm --mode node ;# displays available nodes
iscsiadm --mode node --targetname iqn.2012-06.com.example:target0 --portal 127.0.0.1:3260 --login ;# login (creates /dev/sdX device)
cryptsetup luksFormat /dev/sdX ;# format device
cryptsetup open /dev/sdX iscsi-crypt
mkfs.ext3 -L iscsi-crypt /dev/mapper/iscsi-crypt