An encrypted network drive using iscsi
configurationexperimentsiscsi-network-block-device-using-iscsi

An encrypted network drive: using iscsi

The motivation is to backup data on a server and encrypt them on the fly. One FreeBSD Webserver and a local linux system is the base setup for this test, which finally worked out quiet well: I was able to create an encrypted network device, which gets decrypted on the local machine.

The FreeBSD Server

Setup remote freebsd machine:

portal-group pg0 {
  discovery-auth-group no-authentication
  listen 127.0.0.1
  listen [::1]
}

target iqn.2012-06.com.example:target0 {
  auth-group no-authentication
  portal-group pg0

  lun 0 {
    path /home/max/nbd-test.raw
    size 512M
  }
}

append rc.conf with:

ctld_enable="YES"
iscsid_enable="YES"

start both:

service ctld reload
service iscsi reload

The Linux Host

Connect to the freebsd server and redirect port 3260 (over which iscsi works). After that the remote iscsi device is available locally and that is why I have used 127.0.0.1 and [::1] (for ipv6) in the /etc/ctl.conf. The device gets created under /dev/, is initialized by luksFormat, gets a device node under mapper, which gets the unencrypted version of the device, on which i finally created an ext3 file system (which might not be the best choice)

ssh -L 3260:localhost:3260 [freebsd-server-ip]
iscsiadm --mode node ;# displays available nodes
iscsiadm --mode node --targetname iqn.2012-06.com.example:target0 --portal 127.0.0.1:3260 --login ;# login (creates /dev/sdX device)
cryptsetup luksFormat /dev/sdX ;# format device
cryptsetup open /dev/sdX iscsi-crypt
mkfs.ext3 -L iscsi-crypt /dev/mapper/iscsi-crypt
top