Yes, here we are again.
Now that I have a NAS at home, it’s about time to get rid of all these single USB disks connected to my Raspberry PIs.
I have a share called
nfsshare available from my NAS (IP: 192.168.1.10). The full share path is
192.168.1.10:/volume1/nfsshare. My NAS handles NFS version 4.
So, here what I’ve done, to setup my Banana Pro Pi with Armbian based on Debian 10 (buster).
Configure NFS client
First of all, we need to create the mount point where we’re going to access the nfs share (let’s use
/nfs) and install the packages for NFS.
apt-get install nfs-common
Once done, a minimal tuning of
idmapd.conf, if you have defined a domain/workgroup within your network. In this example I’m using
sed -i 's/#Domain = local.domain.edu/Domain = mydomain.loc/' /etc/idmapd.conf
/etc/fstab file, to make sure it mounts at boot, and test if all works as expected:
192.168.1.10:/volume1/nfsshare /nfs nfs4 auto,_netdev,nofail,noatime,nolock 0 0
I have used
_netdev to make sure that the system understands that this needs the network up before trying to mount, and, if something goes wrong, the boot continues (
nofail). This is very handy on systems without a proper monitor where you rely on ssh connections.
Now, with a simple
mount /nfs command, you should be able to get the share mounted.
df -Th or
mount commands are what I would you to verify.
Cool, we have now the share mounted. Issue a quick
shutdown -r now to see if all works as expected. Once your device is back online, ssh into it and check with
df -Th or
mount commands again. Hopefully, you can see your nfs share mounted to
Create and configure your Encrypted “space”
I have already discussed something about encrypted devices in another post. This will be a revised version of the previous post, without custom scripts, but simply using what Debian offers out of the box.
Create an empty IMG file to host our encrypted space
I have decided to create 500GB of encrypted space to store my data. To do so, I did the following:
- install the required software for encryption
- create a sparsefile (on my
- encrypt it
- format it (ext4)
- setup the auto mount
apt-get install cryptsetup
dd of=/nfs/file_container.img bs=1 count=0 seek=500G
cryptsetup -y luksFormat /nfs/file_container.img
cryptsetup luksOpen /nfs/file_container.img cryptcontainer
mkfs.ext4 -L cryptarchive /dev/mapper/cryptcontainer
During the above steps, you will be asked to set a passphrase, and use it to open the IMG file. Pretty straight forward, isn’t it?
Cool. Now we have 500GB sparsefile called
file_container.img store on our share
/nfs ready to be mounted somewhere and utilised.
To make sure we can mount at boot, we need a secret key that we are going to use to decrypt the IMG file without typing any passphrase.
Let’s create this key stored under
/root (in this example). You can store wherever you want, as long as it’s accessible before the decryption start. Another good place is
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
chmod 0400 /root/keyfile
Now we need to add this key within the IMG file
cryptsetup luksAddKey /nfs/file_container.img /root/keyfile
Next step, is to instruct
/etc/crypttab, with the details about our encrypted file and its key.
Just add the following line at the end of
cryptcontainer /nfs/file_container.img /root/keyfile luks
Now, there is a problem. Your OS needs to know that the IMG file isn’t stored locally and has a dependency on the NFS share. In fact, if the OS tries to decrypt the IMG file before mounting the NFS share, it will fail, and you might get stuck in a no-end booting, forcing sometimes to get your mini monitor for troubleshooting, a spare keyboard and anti-human positions to reach your small Pi etc etc… basically, a nightmare!
So, here a trick that seems working.
In Debian, there is a file called
Within this file, we are going to make sure that
CRYPTDISKS_ENABLE is set to
CRYPTDISKS_MOUNT is set to our NFS mount (
/nfs). In this way, the service that handles the encryption/decription will wait for
/nfs mounted before starting.
IMPORTANT: this must be a mountpoint within
Here the content of my
# Run cryptdisks initscripts at startup? Default is Yes.
# Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes
# mountpoins which are configured in /etc/fstab as arguments. Separate
# mountpoints by space.
# This is useful for keyfiles on removable media. Default is unset.
# Default check script. Takes effect, if the 'check' option is set in crypttab
# without a value.
Amazing! Now, just the last bit: update
/etc/fstab with the reference of our device. Because now we have setup all the necessary to open the encrypted IMG file and associate it to a mountable device. But we haven’t mounted it yet!
Create the mount point:
/etc/fstab, appending this line:
/dev/mapper/cryptcontainer /cryptoarchive ext4 defaults,nofail 0 2
nofail, as for the NFS share, to avoid the boot process to get stuck in case of errors, and allow you to ssh into the device and troubleshoot.
Now we’re ready to try a
mount /cryptoarchive, a
df -Th and
mount checks, and also a
shutdown -r now, to verify that the NFS share gets mounted and the IMG encrypted disk mounted and available too.
Happy playing! 😉