0

I have an encrypted external disk on a linux server.

On the server, I can do this locally to decrypt cryptsetup -d keyfile luksOpen /dev/sdx1 /mnt/decrypted but I prefer to avoid doing that on the server side.

I want to access the server (via ssh/sshfs) and only decrypt the data remotely on my client machine.

To access and decrypt the data remotely, I have to

  1. mount the encrypted /dev/sdx1 locally on the server (without decrypting it!!) to /mnt/encrypted
  2. mount /mnt/encrypted via sshfs on a client machine (then use luksOpen to decrypt)

How can I do step 1 without decrypting data?

Thanks, Chris

ps: maybe I should just use an encrypted container (a file on the server's file system) and not a whole partition? This way I could mount the folder containing the encrypted container/file remotely via sshfs? (and only decrypt it on the client machine)

Paulo Tomé
  • 3,782
tcris
  • 111

2 Answers2

1

This is impossible to achieve with your current setup.

The only "proper" way to do that is to put your luks volume on a Network Block Device.

You may use drbd or iscsi to access the block device on your server and then setup Luks on it.

binarym
  • 2,649
  • thanks for the answer! what about using an encrypted luks container/file (not a partition), would that work across sshfs? – tcris Nov 26 '19 at 10:04
  • something like

    /srv/encrypted.img <---sshfs----> /client/encrypted.img -> /dev/loop0 -> cryptsetup luksOpen -> mount /dev/mapper/dm0 /mnt/decrypted

     – tcris Nov 26 '19 at 10:28
  • Yeah, that will probably work. You can also use cryptmount which way of operation looks more compatible to what you want to do. Anyway, with that solution, take care of your private key which is usually stored under /etc/ ... if it's lost, your data are too. – binarym Nov 26 '19 at 10:37
  • I can confirm now: yes I can mount and decrypt luks remotely (via sshfs) if I use a luks container (not a luks partition) to hold the encrypted data.

    I just had to create a luks container (a file that holds internally the encrypted filesystem), this file is a normal file on a mounted partition so it can be mounted remotely via sshsfs and decrypted later (via loop device -> mapper device -> mount). Thanks

     – tcris Nov 26 '19 at 16:00
1

I can mount and decrypt luks remotely (via sshfs) if I use a luks container (and not a luks partition) to hold the encrypted data.

I just had to create a luks container (a file that holds internally the encrypted filesystem), this file is a normal file on a mounted partition so it can be mounted remotely via sshfs and decrypted later (via loop device -> mapper device -> mount).

I have tested this and I can confirm it works.

tcris
  • 111