Ubuntu External Encrypted Hard Drive

Ubuntu External Encrypted Hard Drive

This HOWTO assumes you are already an Ubuntu 8.04 or 8.10 server administrator, and have a good level of understanding that goes along with that. If you don't know how to use "vi" or "nano", or you don't understand basics of XML files, this tutorial is not for you.

With so many companies experiencing data breaches due to external backup media, we take a bit of extra precautions with our data. Considering that we deal with electronic medical records, having our backups encrypted is a necessity.

Our workflow system creates backup DVD's of data, but restoring from those DVD's would take weeks at best due to the sheer volume of information we store. I've never been a fan of using magnetic media for backups, particularly hard drives, but in this case we have one copy of the data on DVD's and just need a media that allows for faster restores.

We decided to use external 1 TB USB hard drives from Western Digital. This left us with the challenge of encrypting the data, and making the backup drives easily swappable without needing root access.

Getting Ready

First, a few packages are needed. In our Ubuntu servers we had to install the following (your mileage may vary):

sudo apt-get install cryptsetup hashalot hal pmount ivman
sudo modprobe dm-crypt

The last line keeps you from needing to immediately reboot.

If you are going to prepare the drive with an Ubuntu workstation, on it you should only need to install:

sudo apt-get install cryptsetup hashalot

Being a wimp, I first prepped the hard drive from my linux desktop using gparted which made mounting, partitioning and formatting them a breeze. They came pre-formatted with FAT32, so I immediately blew that away and created an EXT3 partition.

Beginning The Encryption

Next, encrypt the partition using the following (replace [your partition] with your partition.. duh!.. mine was "sdf1"):

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/[your partition]

It will ask you for a password. Please, pick something long and strong, including special characters.

Once the encryption is completed, disconnect and reconnect your USB external drive.

Yet again, I opened up gparted and now I found I had a new unformatted partition and I formatted it to ext3.

NOTE: The latest GParted may destroy the new encrypted partitions

I found when repeating these steps after upgrading to Jaunty that every time I tried to use GParted to format the encrypted partition, it damaged the encryption. Instead, you can use the command line to format the encrypted partition, but you have to find it. Look under /dev/mapper/ to find the encrypted partition - if you have multiple listed, you can use gparted to look at what is available and use that code. Here's what mine looked like; the partition location started with luks_crypto_:

sudo mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/luks_crypto_b6c6e0ae-4ec3-4ff9-9a7e-c1edf104d8e3

A little bit of testing on my desktop with plugging in, unplugging and entering my decryption password from the pop-up dialog in Ubuntu and I was ready to begin the server configuration.

Using Without Entering A Password

Because this server will be doing the backups, I wanted to make sure I didn't have to enter a password every time the drive is inserted or the server rebooted. To do this, you add a second key using a keyfile. Attach the drive to your server, find it's /dev/sdXX mapping and enter the following:

sudo hashalot -n 32 rmd160 > /root/mybackup_key

It will ask you for a password. This should be hugely long and random - the file you generate with it is what you'll want to keep, not the text you type here. When finished, you'll have "mybackup_key" in your root user's home directory.

The key now needs added to the drive as a valid key. Replace "sdX1" with your drive's location:

sudo cryptsetup luksAddKey /dev/sdX1 /root/mybackup_key
sudo chmod 400 /root/mybackup_key

And lastly, test to see if the drive will mount manually by using:

sudo pmount -p /root/mybackup_key /dev/sdX1
It should return after a few seconds with no errors. Automatically Mounting In Ubuntu Server

The last trick is to get it to automatically mount when inserted. In Ubuntu Server there's no automount running by default, and this is where ivman comes into play. Since SATA hard drives look nearly identical to most external USB hard drives to the computer, we need to set up a special rule for ivman to be able to mount it.

First find the UUID of your drive. There's several ways to go about this - one is to do the following:

ls -l /dev/disk/by-uuid/

Look for the entry that corresponds to the partition you have encrypted. This means "sde1" not "sde".

Edit /etc/ivman/IvmConfigActions.xml with your favorite editor and add the following lines somewhere in the middle. Make sure it's not wrapped inside one of the many comments in this file:

    <ivm:Match name="hal.volume.uuid" value="d1f1e751-2d75-4bf3-8bb5-13b487a1a1a0">
        <ivm:Option name="mount" value="true" />
        <ivm:Option name="exec" value="pmount -p /root/mybackup_key $hal.block.device$ /media/mybackup" />
        <ivm:Option name="execun" value="pumount /media/mybackup" />

Now, restart ivman:

/etc/init.d/ivman restart

This approach allows the drive to be connected to various USB ports and assigned various /dev/ locations without worrying about where it goes.

Accessing The Data Later

There are now two ways you can decrypt the data. One is with the password initially created when the drive was encrypted - this allows you to connect the drive to your Ubuntu desktop, enter your password and go. The other is through the encryption pass-key file we created at /root/mybackup_key. Without either the main password or the key-file, you won't be able to read the data on the backup disk, so make sure you always have one or the other of them.

Now I can even ship a backup to another one of my offices without worrying about what would happen if Fedex lost the package.

Posted by Tony on Feb 11, 2009 | Servers, Desktop Linux