Imagine that you have a good amount of data on external drives
which you really would not want to be compromised in case of theft
or curious relatives with too much time on their hands.
That data may be anything from company secrets, a dump of the
HR database with SSNs for debugging purposes or your not-so-legal
BT movie collection.
Storing this kind of stuff unencrypted is downright stupid.
But that isn't too much of a problem if the number of external
drives is small. If hooked up to a workstation, the external drives
can be used with a wide range of encryption applications.
But what if these drives must be accessible to multiple client PCs
at all times? Normally one would use a cheap NAS box to share
all drives with the network. Problem is, at the time of writing,
none of the usual NAS boxes supported any kind of encryption.
And thus, ProjectCryptSlug was born.
This HowTo will explain how to configure a freshly flashed NSLU2
NAS box running SlugOS to securely encrypt attached drives and
act as an NFS server.
Flashing your NSLU2 is not covered by this HowTo as it is already
Goals of this HowTo
Moving the rootfs
As I mentioned before, the onboard flash of the NSLU2 is not
large enough to hold all packages required, so we need to copy
the rootfs to either an USB key or a small partition on an connected
HDD. Many people prefer USB keys as they are cheap, fast and do
not keep the HDDs spinning uselessly.
The turnup script in SlugOS will do most of the grunt work for us.
(I assume that you know how to partition an HDD at this point.)
Copy the rootfs
mkfs.ext2 -m0 -L "Boot" /dev/sda1
You should use ext3 instead of ext2 for HDDs.
turnup disk -i /dev/sda1 -t ext2
The output of df now shows our USB key as new rootfs:
Filesystem 1k-blocks Used Available Use% Mounted on /dev/sda1 975112 9652 965460 1% /
Installing & configuring additional packages
The following command installs all required packages for our
ipkg update && ipkg install cryptsetup nfs-utils
You may get one or more warning about missing modules.
Usually these can be ignored.
Cryptsetup depends on the dm-crypt module to function. For some
reason the module does not auto-load so we need to force a modprobe
on each boot:
echo „dm-crypt“ > /etc/modutils/dm-crypt && update-modules
Running modutils.sh should now auto-modprobe dm-crypt:
root@nslu2:/etc/modutils$ /etc/init.d/modutils.sh Calculating module dependencies ... Loading modules: dm-crypt
Setting up an encrypted partition
At this point out slug is ready to handle encrypted partitions via
cryptsetup. Now I'll explain how to format and encrypt an entire
partition of an HDD.
This process causes complete data loss on that HDD!
cryptsetup -c aes-cbc-essiv:sha256 -y luksFormat /dev/sdb1
You will be asked for a password, you should try really hard
not to forget it! Lose the password, lose the encrypted data.
cryptsetup luksOpen /dev/sdb1 $SOMENAME
$SOMENAME can be anything at all, it identifies the partition.
The encrypted partition can now be accessed via /dev/mapper/$SOMENAME.
You can work with it like with a normal partition, just remember to
not use /dev/sd* but always /dev/mapper/$SOMENAME.
mkfs.ext3 -m0 /dev/mapper/$SOMENAME
mount /dev/mapper/$SOMENAME /media/somewhere
Congratulations. You're now the proud owner of a fully encrypted
partition mounted on your NSLU2. After a reboot (or a power loss,
someone stealing the HDD) the disk is fully encrypted and useless
to any attacker. You have to manually specify the password
via the cryptsetup luksOpen /dev/sdb1 $SOMENAME command after every
boot. As the NSLU2 usually is very stable, that shouldn't happen too often.
TODO: Use keys instead of passphrase TODO: configure the NFS server mounting and umounting
To simplify mounting and unmounting the encrypted partitions, consider
using the pam_mount scripts mount.crypt and umount.crypt