Encrypting backup partition using dm-crypt and cryptsetup

2012-06-28 at 21:20:53 | categories: tips, linux

Motivation

Lately I bought new backup HDDs and wanted to store data on them in encrypted form (as always). Although I did that several times before, I had again problems with recalling how it was, so... I decided to write it here, so it is easy to find it again. And maybe can be useful for someone else too.

Encrypted backups: dm-crypt vs loop-aes

No need to convince anyone that backups are important. I have them on external usb HDD and push data on HDD using rsync. And the HDD is encrypted using dm-crypt to protect data in case I lost the HDD. I used to use loop-aes, but resigned from it in favor of dm-crypt because of the following reasons:

  • Loop-eas required compiling an additional kernel module. It is not a problem (module-assistent in Debian did the job well), but it was just one more thing to remember... Support for dm-crypt is a part of the kernel, so it works out of the box.
  • Both loop-aes and dm-crypt have very similar performance.
  • Loop-aes allows storing the key on a separate medium - like usb stick. That is great, but I don't need that feature.

How to encrypt a HDD in few steps

All below is about debian system.

  • Install cryptsetup and cryptsetup-bin.

  • After connecting the new disk check which dev it is. It is /dev/sdb in my case. To create encrypted partition I use this:

cryptsetup luksFormat /dev/sdb

I could have done it differently: making partition first (e.g. using cfdisk making /dev/sdb1) and then encrypting only this one. But I prefer to make the whole HDD for my own reasons :)

  • Open it

cryptsetup luksOpen /dev/sdb backup

You will need to enter the same password here as you provided in the previous step. If you succeed you will get /dev/mapper/backup block device which you can use in next step.

  • Format it, like so:

mkfs.ext4 -m 0 -L backup /dev/mapper/backup

As you can see - using ext4, nothing reserved for root and with some label.

  • Once that is done - I just mount it:

mount /dev/mapper/backup /mnt/backup

  • ...and use it :-) To make it easier I have a simple mount script doing this:

cryptsetup luksOpen /dev/sdb backup && mount /dev/mapper/backup /mnt/backup

To unmount: umount /mnt/backup && cryptsetup luksClose backup

I hope you can find this description useful. If not - no problem, it will be surely good for refreshing my memory next time I need it :)