3

I'm interested in an encrypted offsite storage scheme, but I don't want to depend on the vendor for encryption. I have an idea for doing so by combining sshfs with cryptsetup/dm-crypt/LUKS, but I'd like to know if there are any obvious problems with this scheme. Essentially,

  1. Use sshfs to mount a remote drive
  2. Create a random encrypted volume via head -c 10MB /dev/urandom > volume
  3. Make a LUKS container with cryptsetup -y luksFormat ./volume
  4. Open the encrypted volume with cryptsetup luksOpen ./volume myvol
  5. Format the volume via mkfs.ext4 /dev/mapper/myvol
  6. Mount the encrypted volume mount /dev/mapper/myvol /mnt
  7. When done, unmount the encrypted volume, close it, and unmount the remote drive

After everything is setup, I'd just use steps 1, 4, 6, 7. Anyway, again, I'm just interested in some kind of offsite encrypted storage scheme where I don't have to worry if my host is snooping or not. I'm interested if there are some possible issues with the scheme that I described above using sshfs combined with cryptsetup/dm-crypt/LUKS.

wyer33
  • 203
  • 1
  • 7

2 Answers2

1

For dealing with remote drives, you're probably better off using a file-level encryption system like eCryptFS. Alternatively, if you're just looking to store backups or something similar, you can use the built-in encryption in tools like duplicity (that uses GnuPG for encryption).

Using LUKS like you've described should be fine, and is essentially creating an encrypted container, but you'll probably have suboptimal performance and it'll be more difficult if you ever want to encrypt more data than you've prepared the container for.

David
  • 15,814
  • 3
  • 48
  • 73
1

This is a great way to keep sensitive data on a relatively untrusted host.

I do the same with TrueCrypt (being on Windows). As long as encryption takes place on your (trusted) client computer rather than the server, you are good to go.

Don't forget to keep copies of any keys and headers that might be required to recover the volume though in case of any problems.

As @David says in his answer, encrypting at file level also works though it may leak some file name information (sorry I cant remember whether eCryptFS randomises file names) & for backups only, an encrypting backup solution would be preferred such as the mentioned duplicity or a commercial tool such as CrashPlan (which has a free to use version).

Julian Knight
  • 7,092
  • 17
  • 23