view · edit · print · history

Project CryptSlug


Imagine that you have a good amount of data on external drives
which you really would not want to be compromised in case of theft
or curious relatives with too much time on their hands.
That data may be anything from company secrets, a dump of the
HR database with SSNs for debugging purposes or your not-so-legal
BT movie collection.
Storing this kind of stuff unencrypted is downright stupid.
But that isn't too much of a problem if the number of external
drives is small. If hooked up to a workstation, the external drives
can be used with a wide range of encryption applications.
But what if these drives must be accessible to multiple client PCs
at all times? Normally one would use a cheap NAS box to share
all drives with the network. Problem is, at the time of writing,
none of the usual NAS boxes supported any kind of encryption.
And thus, ProjectCryptSlug was born.
This HowTo will explain how to configure a freshly flashed NSLU2
NAS box running SlugOS to securely encrypt attached drives and
act as an NFS server.
Flashing your NSLU2 is not covered by this HowTo as it is already
documented elsewhere.

Goals of this HowTo

  • Sharing one or more fully encrypted HDDs via NFS (or other means)
    over NFS via an NSLU2
  • The encrypted drives can be connected to any Linux PC as well


  • A cleanly flashed NSLU2 NAS box with a firmware not older than
  • A USB flash drive or a dedicated (unencrypted) small partition
    on an HDD to hold the rootfs. The flash is too small to handle all
  • One or more HDDs to be encrypted and used as shared drives
  • A bit of your time and some patience ;)

Moving the rootfs

As I mentioned before, the onboard flash of the NSLU2 is not
large enough to hold all packages required, so we need to copy
the rootfs to either an USB key or a small partition on an connected
HDD. Many people prefer USB keys as they are cheap, fast and do
not keep the HDDs spinning uselessly.
The turnup script in SlugOS will do most of the grunt work for us.
(I assume that you know how to partition an HDD at this point.)

Copy the rootfs

  • Format the target partition onto which we will copy the rootfs.
    In my case, I used an USB key drive:
 mkfs.ext2 -m0 -L "Boot" /dev/sda1
You should use ext3 instead of ext2 for HDDs.
  • Copy the rootfs
 turnup disk -i /dev/sda1 -t ext2
  • Reboot the slug to switch to the new rootfs:
The output of df now shows our USB key as new rootfs:
 Filesystem           1k-blocks      Used Available Use% Mounted on
 /dev/sda1               975112      9652    965460   1% /

Installing & configuring additional packages

The following command installs all required packages for our
little project:
 ipkg update && ipkg install cryptsetup nfs-utils 
You may get one or more warning about missing modules.
Usually these can be ignored.
Cryptsetup depends on the dm-crypt module to function. For some
reason the module does not auto-load so we need to force a modprobe
on each boot:
 echo „dm-crypt“ > /etc/modutils/dm-crypt && update-modules
Running modutils.sh should now auto-modprobe dm-crypt:
 root@nslu2:/etc/modutils$ /etc/init.d/modutils.sh
 Calculating module dependencies ...
 Loading modules: dm-crypt 

Setting up an encrypted partition

At this point out slug is ready to handle encrypted partitions via
cryptsetup. Now I'll explain how to format and encrypt an entire
partition of an HDD.
This process causes complete data loss on that HDD!
  • Encrypt the partition:
 cryptsetup -c aes-cbc-essiv:sha256 -y luksFormat /dev/sdb1
You will be asked for a password, you should try really hard
not to forget it! Lose the password, lose the encrypted data.
  • Make the encrypted partition readable to the OS:
 cryptsetup luksOpen /dev/sdb1 $SOMENAME
$SOMENAME can be anything at all, it identifies the partition.
The encrypted partition can now be accessed via /dev/mapper/$SOMENAME.
You can work with it like with a normal partition, just remember to
not use /dev/sd* but always /dev/mapper/$SOMENAME.
  • Create a filesystem on the partition:
 mkfs.ext3 -m0 /dev/mapper/$SOMENAME
  • Mount the partition somewhere:
 mount /dev/mapper/$SOMENAME /media/somewhere 
Congratulations. You're now the proud owner of a fully encrypted
partition mounted on your NSLU2. After a reboot (or a power loss,
someone stealing the HDD) the disk is fully encrypted and useless
to any attacker. You have to manually specify the password
via the cryptsetup luksOpen /dev/sdb1 $SOMENAME command after every
boot. As the NSLU2 usually is very stable, that shouldn't happen too often.
	TODO: Use keys instead of passphrase
	TODO: configure the NFS server

 mounting and umounting
To simplify mounting and unmounting the encrypted partitions, consider
using the pam_mount scripts mount.crypt and umount.crypt
        http://dev.computergmbh.de/gitweb.cgi?p=pam_mount;a=blob_plain;f=scripts/mount.crypt;hb=HEAD(approve sites)

http://dev.computergmbh.de/gitweb.cgi?p=pam_mount;a=blob_plain;f=scripts/umount.crypt;hb=HEAD(approve sites)

view · edit · print · history · Last edited by none.
Based on work by fcarolo, ka6sox, and none.
Originally by none.
Page last modified on June 09, 2008, at 10:44 PM