Yes, here we are again.
Now that I have a NAS at home, it’s about time to get rid of all these single USB disks connected to my Raspberry PIs.
I have a share called nfsshare
available from my NAS (IP: 192.168.1.10). The full share path is 192.168.1.10:/volume1/nfsshare
. My NAS handles NFS version 4.
So, here what I’ve done, to setup my Banana Pro Pi with Armbian based on Debian 10 (buster).
Configure NFS client
First of all, we need to create the mount point where we’re going to access the nfs share (let’s use /nfs
) and install the packages for NFS.
mkdir /nfs
apt-get install nfs-common
Once done, a minimal tuning of idmapd.conf
, if you have defined a domain/workgroup within your network. In this example I’m using mydomain.loc
.
sed -i 's/#Domain = local.domain.edu/Domain = mydomain.loc/' /etc/idmapd.conf
Update our /etc/fstab
file, to make sure it mounts at boot, and test if all works as expected:
192.168.1.10:/volume1/nfsshare /nfs nfs4 auto,_netdev,nofail,noatime,nolock 0 0
I have used _netdev
to make sure that the system understands that this needs the network up before trying to mount, and, if something goes wrong, the boot continues (nofail
). This is very handy on systems without a proper monitor where you rely on ssh connections.
Now, with a simple mount /nfs
command, you should be able to get the share mounted. df -Th
or mount
commands are what I would you to verify.
Cool, we have now the share mounted. Issue a quick shutdown -r now
to see if all works as expected. Once your device is back online, ssh into it and check with df -Th
or mount
commands again. Hopefully, you can see your nfs share mounted to /nfs
.
Create and configure your Encrypted “space”
I have already discussed something about encrypted devices in another post. This will be a revised version of the previous post, without custom scripts, but simply using what Debian offers out of the box.
Create an empty IMG file to host our encrypted space
I have decided to create 500GB of encrypted space to store my data. To do so, I did the following:
- install the required software for encryption
- create a sparsefile (on my
/nfs
share) - encrypt it
- format it (ext4)
- setup the auto mount
apt-get install cryptsetup
dd of=/nfs/file_container.img bs=1 count=0 seek=500G
cryptsetup -y luksFormat /nfs/file_container.img
cryptsetup luksOpen /nfs/file_container.img cryptcontainer
mkfs.ext4 -L cryptarchive /dev/mapper/cryptcontainer
During the above steps, you will be asked to set a passphrase, and use it to open the IMG file. Pretty straight forward, isn’t it?
Cool. Now we have 500GB sparsefile called file_container.img
store on our share /nfs
ready to be mounted somewhere and utilised.
To make sure we can mount at boot, we need a secret key that we are going to use to decrypt the IMG file without typing any passphrase.
Let’s create this key stored under /root
(in this example). You can store wherever you want, as long as it’s accessible before the decryption start. Another good place is /boot
.
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
chmod 0400 /root/keyfile
Now we need to add this key within the IMG file
cryptsetup luksAddKey /nfs/file_container.img /root/keyfile
Next step, is to instruct /etc/crypttab
, with the details about our encrypted file and its key.
Just add the following line at the end of /etc/crypttab
file.
cryptcontainer /nfs/file_container.img /root/keyfile luks
Now, there is a problem. Your OS needs to know that the IMG file isn’t stored locally and has a dependency on the NFS share. In fact, if the OS tries to decrypt the IMG file before mounting the NFS share, it will fail, and you might get stuck in a no-end booting, forcing sometimes to get your mini monitor for troubleshooting, a spare keyboard and anti-human positions to reach your small Pi etc etc… basically, a nightmare!
So, here a trick that seems working.
In Debian, there is a file called /etc/default/cryptdisks
Within this file, we are going to make sure that CRYPTDISKS_ENABLE
is set to yes
and CRYPTDISKS_MOUNT
is set to our NFS mount (/nfs
). In this way, the service that handles the encryption/decription will wait for /nfs
mounted before starting.
IMPORTANT: this must be a mountpoint within /etc/fstab
Here the content of my /etc/default/cryptdisks
file
# Run cryptdisks initscripts at startup? Default is Yes.
CRYPTDISKS_ENABLE=Yes
# Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes
# mountpoins which are configured in /etc/fstab as arguments. Separate
# mountpoints by space.
# This is useful for keyfiles on removable media. Default is unset.
CRYPTDISKS_MOUNT="/nfs"
# Default check script. Takes effect, if the 'check' option is set in crypttab
# without a value.
CRYPTDISKS_CHECK=blkid
Amazing! Now, just the last bit: update /etc/fstab
with the reference of our device. Because now we have setup all the necessary to open the encrypted IMG file and associate it to a mountable device. But we haven’t mounted it yet!
Create the mount point:
mkdir /cryptoarchive
Update /etc/fstab,
appending this line:
/dev/mapper/cryptcontainer /cryptoarchive ext4 defaults,nofail 0 2
Again, the nofail
, as for the NFS share, to avoid the boot process to get stuck in case of errors, and allow you to ssh into the device and troubleshoot.
Now we’re ready to try a mount /cryptoarchive
, a df -Th
and mount
checks, and also a shutdown -r now
, to verify that the NFS share gets mounted and the IMG encrypted disk mounted and available too.
Happy playing! ๐