An encrypted network drive using iscsi
configurationexperimentsiscsi-network-block-device-using-iscsi

An encrypted network drive: using iscsi #

The motivation is to backup data on a server and encrypt them on the fly. One FreeBSD Webserver and a local linux system is the base setup for this test, which finally worked out quiet well: I was able to create an encrypted network device, which gets decrypted on the local machine.

The FreeBSD Server #

Setup remote freebsd machine:

portal-group pg0 {
  discovery-auth-group no-authentication
  listen 127.0.0.1
  listen [::1]
}

target iqn.2012-06.com.example:target0 {
  auth-group no-authentication
  portal-group pg0

  lun 0 {
    path /home/max/nbd-test.raw
    size 512M
  }
}

append rc.conf with:

ctld_enable="YES"
iscsid_enable="YES"

start both:

service ctld reload
service iscsi reload

The Linux Host #

Connect to the freebsd server and redirect port 3260 (over which iscsi works). After that the remote iscsi device is available locally and that is why I have used 127.0.0.1 and [::1] (for ipv6) in the /etc/ctl.conf. The device gets created under /dev/, is initialized by luksFormat, gets a device node under mapper, which gets the unencrypted version of the device, on which i finally created an ext3 file system (which might not be the best choice)

ssh -L 3260:localhost:3260 [freebsd-server-ip]
iscsiadm --mode node ;# displays available nodes
iscsiadm --mode node --targetname iqn.2012-06.com.example:target0 --portal 127.0.0.1:3260 --login ;# login (creates /dev/sdX device)
cryptsetup luksFormat /dev/sdX ;# format device
cryptsetup open /dev/sdX iscsi-crypt
mkfs.ext3 -L iscsi-crypt /dev/mapper/iscsi-crypt
top