0

I have an encrypted external disk on a linux server.

On the server, I can do this locally to decrypt cryptsetup -d keyfile luksOpen /dev/sdx1 /mnt/decrypted but I prefer to avoid doing that on the server side.

I want to access the server (via ssh/sshfs) and only decrypt the data remotely on my client machine.

To access and decrypt the data remotely, I have to

  1. mount the encrypted /dev/sdx1 locally on the server (without decrypting it!!) to /mnt/encrypted
  2. mount /mnt/encrypted via sshfs on a client machine (then use luksOpen to decrypt)

How can I do step 1 without decrypting data?

Thanks, Chris

ps: maybe I should just use an encrypted container (a file on the server's file system) and not a whole partition? This way I could mount the folder containing the encrypted container/file remotely via sshfs? (and only decrypt it on the client machine)

Paulo Tomé
  • 3,754
  • 6
  • 26
  • 38
tcris
  • 111
  • 4

2 Answers2

1

This is impossible to achieve with your current setup.

The only "proper" way to do that is to put your luks volume on a Network Block Device.

You may use drbd or iscsi to access the block device on your server and then setup Luks on it.

binarym
  • 2,639
  • 9
  • 12
  • thanks for the answer! what about using an encrypted luks container/file (not a partition), would that work across sshfs? – tcris Nov 26 '19 at 10:04
  • something like /srv/encrypted.img <---sshfs----> /client/encrypted.img -> /dev/loop0 -> cryptsetup luksOpen -> mount /dev/mapper/dm0 /mnt/decrypted – tcris Nov 26 '19 at 10:28
  • Yeah, that will probably work. You can also use [`cryptmount`](http://cryptmount.sourceforge.net/) which way of operation looks more compatible to what you want to do. Anyway, with that solution, take care of your private key which is usually stored under /etc/ ... if it's lost, your data are too. – binarym Nov 26 '19 at 10:37
  • I can confirm now: yes I can mount and decrypt luks remotely (via sshfs) if I use a luks container (not a luks partition) to hold the encrypted data. I just had to create a luks container (a file that holds internally the encrypted filesystem), this file is a normal file on a mounted partition so it can be mounted remotely via sshsfs and decrypted later (via loop device -> mapper device -> mount). Thanks – tcris Nov 26 '19 at 16:00
1

I can mount and decrypt luks remotely (via sshfs) if I use a luks container (and not a luks partition) to hold the encrypted data.

I just had to create a luks container (a file that holds internally the encrypted filesystem), this file is a normal file on a mounted partition so it can be mounted remotely via sshfs and decrypted later (via loop device -> mapper device -> mount).

I have tested this and I can confirm it works.

tcris
  • 111
  • 4