LUKS encrypted TGT ISCSI target and initiator
After the CentOS fiasco (good job Redhat/IBM) and since we are more or less in
lockdown I decided to invest a couple of days to migrate my home infra from
CentOS 7 to Debian 10.
One of my physical machines, which was also CentOS 7 based, is used as ISCSI
target.
Debian 10 - Server A.K.A. Target
Install the required packages:
$ sudo apt-get install tgt dkms
Create a device backstore:
$ dd if=/dev/zero of=/mnt/data/volume1 count=0 bs=1 seek=1G
Create a target configuration file:
$ sudo vi /etc/tgt/conf.d/volme1.conf
---
# naming rule : [ iqn.(year)-(month).(reverse of domain name):(any name you like) ]
<target iqn.2020-12.localdomain.target:backup>
# provided devicce as a iSCSI target
backing-store /mnt/data/volume1
# iSCSI Initiator's IQN you allow to connect to this Target
initiator-name iqn.2020-12.localdomain.initiator
# authentication info ( set any name you like for "username", "password" )
#incominguser username password
# disable write cache
write-cache off
</target>
Restart the service:
$ sudo systemctl restart tgt
Check target configuration with the following command:
$ sudo tgtadm --mode target --op show
Fedora 33 - Client A.K.A. Initiator
Install the required packages:
$ sudo dnf install -y iscsi-initiator-utils
START: FOR SOME REASON THIS DOESN’T WORK
Edit iSCSI configuration file to instruct the initiator to use CHAP authentication.
$ sudo vi /etc/iscsi/initiatorname.iscsi
---
node.session.auth.authmethod = CHAP
# As USER and PASSWORD use the ones you created on the Target machine when defining the iSCSI LUN
node.session.auth.username = <USER>
node.session.auth.password = <PASSWORD>
END: FOR SOME REASON THIS DOESN’T WORK
Discover and load the iSCSI target:
$ sudo iscsiadm -m discovery -t sendtargets -p <TARGET-IP-ADDRESS>;
$ sudo iscsiadm -m discovery -P1
$ sudo systemctl restart iscsid
$ sudo iscsiadm -m node -T <FQDN displayed using the discovery command> -l
Now that the iSCSI target is loaded we can mount it, but first we need to identify its device name (in this case it is /dev/sdf):
$ lsblk --scsi
NAME HCTL TYPE VENDOR MODEL REV TRAN
sda 1:0:0:0 disk ATA AAA BBB sata
sdb 4:0:0:0 disk ATA AAA BBB sata
sdc 5:0:0:0 disk ATA AAA BBB sata
sdd 6:0:0:0 disk ATA AAA BBB sata
sde 7:0:0:0 disk ATA AAA BBB sata
sdf 10:0:0:0 disk LIO-ORG volume1 4.0 iscsi
The iSCSI target behaves like a physical hard drive, we can partion it, format
it, mount it, etc as usual.
In this particular case we want to create a LUKS2 encrypted volume, to do so
run:
$ sudo cryptsetup luksFormat -M luks2 --pbkdf argon2id -i 5000 /dev/sdf
$ sudo cryptsetup luksOpen /dev/sdf <luks_volume_name>;
$ sudo mkfs.xfs /dev/mapper/<luks_volume_name>;
$ sudo mount /dev/mapper/<luks_volume_name> /mountpoint
To unmount the encrypted LUKS2 iSCSI target run:
$ sudo sync
$ sudo umount /mnt/volume1
$ sudo cryptsetup luksClose /dev/mapper/volume1
$ sudo iscsiadm -m node -T <FQDN displayed using the discovery command> -u
Target iptables configuration
Instruct iptables to allow TCP traffic on port 3260.
$ sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3260 -j ACCEPT
$ sudo iptables-save > /etc/iptables/rules.v4
Links
[0] https://uwot.eu/luks2-the-right-way-argon2/
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/online-storage-management#osm-target-setup
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/osm-create-iscsi-initiator
[3] https://www.lisenet.com/2016/iscsi-target-and-initiator-configuration-on-rhel-7/