Ubuntu NAS-Encrypted disk

Here we will install

Encrypted Disk with "custom" automount

The disk decryption can be made in two ways:

Local: With a local service and local password (no security...)
Remote: With a key stored on a remote server (on Cloud or an ESP32 or Raspberry PI Zero W exposing the key). This is the secure way: if someone steal your nas will never be able to decrypt the disk

Setup encrypted disk

Setup luks to encrypt the disk

mkdir /etc/luks
chmod 777 /etc/luks
cd /etc/luks

Generate the key to be used for the encryption

dd bs=32 count=1 if=/dev/random | base64 > keyfile                 
chmod 777 keyfile

Network setup

This path if you want to store the keyfile somewhere else

I assume a raspberry PI with IP 192.168.1.100. Ssh on the raspberry and run the following

sudo apt update
sudo apt install apache2 -y

Then go back on the "NAS" and copy the file (i assume the default login for the raspberry: pi)

cd /etc/luks
scp keyfile pi@192.168.1.100:/var/www/html

Then login on the raspi and change the permission

sudo chmod 555 /var/www/html/keyfile

Go back on the nas and create a new file

** /etc/luks/key.sh **

#!/bin/sh
set -e
# Request the file then pipe it through base64 -d to decode it from base64
curl -s "http://192.168.1.100/keyfile" | base64 -d

Then enable the key.sh and remove the keyfile

chmod 777 /etc/luks/key.sh
rm keyfile

Local setup

Create a new file

** /etc/luks/key.sh **

#!/bin/sh
set -e
# Read the file then pipe it through base64 -d to decode it from base64
cat /etc/luks/keyfile | base64 -d

And ensure that the key.sh is executable

chmod 777 /etc/luks/key.sh

Security

Ensure the owner of this file is "root"

chown root:root /etc/luks/key.sh

Allow only the owner (root) to read and execute the script

chmod 0500 /etc/luks/key.sh

Remove the old partition on the chosen disk and cleanup

Check the name of the disk you want to use, using lsblk

lsblk   
> sdb                         8:16   0 465.8G  0 disk

Run fdisk. I assume the new disk is /dev/sdb

fdisk /dev/sdb

Set the partition as primary

(fdisk)p
(fdisk)n
(fdisk)

Set the real size in GB

(fdisk)+465G

Confirm the changes

(fdisk)w

Then setup the new disk as ext4

mkfs.ext4 -F /dev/sdb1

Setup the disk encription

Mount the new partition

mount -t auto -v /dev/sdb1 /mnt/data

Check the name of the disk just added, using lsblk lsblk

sdb 8:16 0 465.8G 0 disk └─sdb1 8:17 0 465.8G 0 part

Encrypt the disk with the key.sh

/etc/luks/key.sh | cryptsetup -d - -v luksFormat /dev/sdb1

Format after luks

/etc/luks/key.sh | cryptsetup -d - -v luksOpen /dev/sdb1 data
mkfs.ext4 -F /dev/mapper/data
cryptsetup -v luksClose data

Setup the automount

To start, get the UUID of the /dev/sdb1 partition

lsblk --fs
>   sdb
>   └─sdb1                    crypto_LUKS       b27c3dd0-9799-4b23-bc84-1755dee0f0a2

Create a new service to open the data volume

** /etc/systemd/system/unlock-data.service **

[Unit]
Description=Open encrypted data volume
After=network-online.target
Wants=network-online.target
StopWhenUnneeded=true

[Service]
Type=oneshot
ExecStart=/bin/sh -c '/etc/luks/key.sh | /sbin/cryptsetup -d - -v luksOpen /dev/disk/by-uuid/b27c3dd0-9799-4b23-bc84-1755dee0f0a2 data'
RemainAfterExit=true
ExecStop=/sbin/cryptsetup -d - -v luksClose data

And another one to mount the device

** /etc/systemd/system/mnt-data.mount **

[Unit]
Requires=unlock-data.service
After=unlock-data.service

[Mount]
What=/dev/mapper/data
Where=/mnt/data
Type=ext4
Options=defaults,noatime,_netdev

[Install]
WantedBy=multi-user.target

Enable and verify the disk

systemctl enable mnt-data.mount
systemctl start mnt-data.mount
systemctl is-enabled mnt-data.mount

To manually enable the disk

systemctl start mnt-data.mount

And to disable it

systemctl stop mnt-data.mount

Last modified on: June 08, 2020