Remote encrypted backup with iSCSI and LUKS2

The idea here is to have a LUKS2 encrypted volume stored on a remote server that allows authenticated clients to load and decrypt it without letting the server know what data are being written, read and stored.

.:. Server A.K.A. Target
Install the required packages:

su -c "yum install targetcli && systemctl start target && systemctl enable target"

Target configuration is done via the command line utility targetcli.
Select a device or a file as backstore:

sudo targetcli

/> /backstores/fileio create file1 /tmp/disk1.img 2000GB write_back=false

Create an iSCSI target:

/> iscsi/
/iscsi> create

Configure a LUN:

/iscsi/iqn.20...mple:444/tpg1> luns/ create /backstores/fileio/file1

Add some ACLs, to get the server FQDN use:

sudo iscsiadm -m discovery -t st -p 127.0.0.1
/iscsi/iqn.20...mple:444/tpg1> acls/
/iscsi/iqn.20...444/tpg1/acls> create <FQDN>

Disable authentication and set a user/password for CHAP auth:

/iscsi/iqn.20...mple:444/tpg1 set attribute authentication=0
/iscsi/iqn.20...mple:444/tpg1/acls/iqn.20...mple:444/ set auth userid=<USER> password=<PASSWORD>
exit

Restart the service:

sudo systemctl restart target

.:. Client A.K.A. Initiator
Install the required packages:

sudo dnf install -y iscsi-initiator-utils

Edit iSCSI configuration file to instruct the initiator to use CHAP authentication, uncomment or add the following lines:

node.session.auth.authmethod = CHAP
# As USER and PASSWORD use the ones you created on the Target machine when defining the iSCSI LUN
node.session.auth.username = <USER>
node.session.auth.password = <PASSWORD>

Discover and load the iSCSI target:

sudo iscsiadm -m discovery -t sendtargets -p <TARGET-IP-ADDRESS>
sudo iscsiadm -m discovery -P1
sudo systemctl restart iscsid
sudo iscsiadm -m node -T <FQDN displayed using the discovery command> -l

Now that the iSCSI target is loaded we can mount it, but first we need to identify its device name (in this case it is /dev/sdf):

lsblk --scsi
NAME HCTL       TYPE VENDOR   MODEL             REV TRAN
sda  1:0:0:0    disk ATA      AAA              BBB  sata
sdb  4:0:0:0    disk ATA      AAA              BBB  sata
sdc  5:0:0:0    disk ATA      AAA              BBB  sata
sdd  6:0:0:0    disk ATA      AAA              BBB  sata
sde  7:0:0:0    disk ATA      AAA              BBB  sata
sdf  10:0:0:0   disk LIO-ORG  backup           4.0  iscsi

The iSCSI target behaves like a physical hard drive, we can partion it, format it, mount it, etc as usual.
In this particular case we want to create a LUKS2 encrypted volume, to do so run:

sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdf
sudo cryptsetup luksOpen /dev/sdf <luks_volume_name>
sudo mkfs.xfs /dev/mapper/<luks_volume_name>
sudo mount /dev/mapper/<luks_volume_name> /mountpoint

To unmount the encrypted LUKS2 iSCSI target run:

sudo sync
sudo umount /mnt/backup
sudo cryptsetup luksClose /dev/mapper/backup
sudo iscsiadm -m node -T <FQDN displayed using the discovery command> -u

.:. Target iptables configuration
Instruct iptables to allow TCP traffic on port 3260.

systemctl stop iptables

Add the following rule and restart iptables.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 3260 -j ACCEPT
systemctl start iptables

.:. Links
[0] https://uwot.eu/blog/luks2-the-right-way-argon2/
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/online-storage-management#osm-target-setup
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/osm-create-iscsi-initiator
[3] https://www.lisenet.com/2016/iscsi-target-and-initiator-configuration-on-rhel-7/

mafio
look at the "About me" page.

Leave a Comment

Your email address will not be published. Required fields are marked *