Encrypted Backup of RHEL 5 system to SMB network share

I purchased the LaCie NAS for backups of the various computers running around at home: a Mac desktop, a Mac laptop, and a Linux server. For the Macs they can just use Time Machine to backup to the NAS, which broadcasts itself as a Time Machine-capable server. For the Linux server, however, it's not so simple.

The goal for my backup is to preserve the native Linux filesystem attributes, i.e. ownership, permissions, etc. in an encrypted format. My current backup system, before the NAS, was to use rsync to copy changed files to an external FireWire hard drive formatted with a native Linux filesystem. Nothing fancy, to be sure, but it "saved the day" on more than one occassion.

The LaCie NAS only supports AFP, SMB, HTTP, and FTP protocols, however. The most logical one to use with Linux would be SMB, as the Samba project provides the necessary tools for mounting and using SMB network shares. The trouble is that a SMB share will not preserve the Linux filesystem attributes I need to preserve.

I came across a useful web page, titled Optimal remote backups with rsync over Samba, that provided me with an excellent starting point for implementing my backup process. The idea is to use a sparse disk image file stored on the NAS and mounted as a loop-back device in Linux. I just needed to add encryption, which turned out to be quite easy with the LUKS support available in RHEL 5 (the distribution the server runs).

Setup Tasks

1) Create the SMB share for the backup, with a username and password, on the NAS

This was done using the NAS's web-based administration console. I created a user for the Linux server to connect as, and created a share for that user to use.

2) Mount the SMB share on Linux server

The Linux CIFS filesystem support provided by Samba allows us to mount the NAS network share. I know that later on I'll want to configure an automount for this share, and there are automount scripts available that can make use of a credentials file with the username/password for mounting the share with. So the first step is to create a credentials file with the username and password in it, named /etc/auto.smb.server. Here server represents the IP address or DNS name of the NAS. The file should only be readable by root, and the format looks like:

username=linuxbackup
password=mypass

Here linuxbackup is the user I created on the NAS for accessing the backup share. Note there shouldn't be any spaces around the equal signs.

Now create a mount point directory, and mount the SMB share:

$ mkdir /mnt/nas-backup-share
$ mount -t cifs //server/share /mnt/nas-backup-share \
	-o lfs,credentials=/etc/auto.smb.server,uid=root,gid=wheel,\
	file_mode=0660,dir_mode=0770,rw

3) Create sparse disk image to hold backup filesystem

$ dd if=/dev/zero of=/mnt/nas-backup-share/linuxbackup.sparseimage \
    bs=1M count=1 seek=150000

4) Setup loop device

$ losetup /dev/loop0 /mnt/nas-backup-share/linuxbackup.sparseimage

5) Setup LUKS disk encryption

RHEL 5 comes with the LUKS package for whole-disk encryption. It can be used with loop-back mounted devices. First I initialize the LUKS device with luksFormat and then open it with luksOpen:

$ cryptsetup luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

$ cryptsetup luksOpen /dev/loop0 luks-`cryptsetup luksUUID /dev/loop0`
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.

Now the LUKS device is accessible like any normal block device at /dev/mapper/luks-UUID where UUID is the value returned by cryptsetup luksUUID /dev/loop0. Using this naming convention may not be friendly for using now, but later on I'll setup automount so I can refer to things with friendlier names that I can remember.

6) Create filesystem for backup image

The encrypted device is now ready to have a filesystem created on it. I created an ext3 filesystem, but any one Linux supports could be used:

$ mkfs.ext3 -L BACKUP /dev/mapper/luks-`cryptsetup luksUUID /dev/loop0`
mke2fs 1.39 (29-May-2006)
Filesystem label=BACKUP
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
19202048 inodes, 38400127 blocks
1920006 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
1172 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872

Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

7) Create strong random password for LUKS volume

I can increase the strength of the password used to unlock the LUKS volume by creating a random one and removing the original one I setup. To create the random password, I can use dd again:

$ dd if=/dev/urandom of=/etc/linuxbackup.key bs=256 count=1
1+0 records in
1+0 records out
256 bytes (256 B) copied, 0.00018131 seconds, 176 kB/s
$ chmod 600 /etc/linuxbackup.key

This creates a 256-bit key stored in the /etc/linuxbackup.key file that can be used to open the LUKS volume. Now I can add this as a strong password to LUKS, by supplying the original weak password first:

$ cryptsetup luksAddKey /dev/loop0 /etc/linuxbackup.key 
Enter any LUKS passphrase: 
Verify passphrase: 
key slot 0 unlocked.
Command successful.

Now I can remove the original weak password:

$ cryptsetup luksDelKey /dev/loop0 0
Command successful.

8) Mount filesystem

Finally I can mount the LUKS encrypted device like a normal filesystem:

$ mkdir /mnt/linuxbackup
$ mount -t ext3 /dev/mapper/luks-`cryptsetup luksUUID /dev/loop0` \
    /mnt/linuxbackup -o defaults,noatime,nodiratime

I can use df to verify that the filesystem is alive and well:

$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/luks-259b10cd-d2f1-41a4-bf95-a533ac0c927c
                      145G  188M  137G   1% /mnt/linuxbackup

Ready for backup

Now that the encrypted device is mounted, I can use it for backups, using my normal rsync-based backup script.

Unmounting the encrypted filesystem

In order to completely umount the encrypted filesystem, I have to unmount it, close it with LUKS, detach the loop-back device, and finally unmount the NAS SMB share:

$ umount /mnt/linuxbackup
$ cryptsetup luksClose luks-`cryptsetup luksUUID /dev/loop0`
$ losetup -d /dev/loop0
$ umount /mnt/nas-backup-share

Automation tasks

This was a good first step. Now the next goals are to automate the mounting of the encrypted filesystem with automount and to get the NAS to "sleep" when not in use to conserve power. I'll details those in a future post.

By msqr, 15 Jul 2009 at 17:34 | | Comments (0)
Category: Tech Tags:

Leave a comment


This blog is licensed under a Creative Commons License.