How To Backup Your NAS To An Encrypted Disk

Setting up a Disk Partition

Now that we have a clean Ubuntu Server installation we can setup the LUKS encryption on the disk.

First thing we need to do is find out what device the disk is. typing in ‘lsblk’ can give you a list of disks and partitions.  From this information you can see the 2.7T drive would be my 3TB HDD and it’s device is ‘sda’ with one partition over the whole disk ‘sda1’.

john@backup-server:~$ lsblk
loop0 7:0 0 55.4M 1 loop /snap/core18/2128
loop1 7:1 0 32.3M 1 loop /snap/snapd/12704
loop2 7:2 0 70.3M 1 loop /snap/lxd/21029
loop3 7:3 0 32.3M 1 loop /snap/snapd/12883
sda 8:0 0 2.7T 0 disk
└─sda1 8:1 0 2.7T 0 part
sdb 8:16 0 55.9G 0 disk
├─sdb1 8:17 0 1M 0 part
├─sdb2 8:18 0 1G 0 part /boot
└─sdb3 8:19 0 54.9G 0 part
└─ubuntu--vg-ubuntu--lv 253:0 0 27.5G 0 lvm /

If it’s a little confusing finding what your disk is labeled as type this command ‘sudo lshw -short -C disk’ as this gives more descriptive labels.

john@backup-server:~$ sudo lshw -short -C disk
H/W path Device Class Description
/0/7/0.0.0 /dev/sda disk 3TB WDC WD30EZRX-00D
/0/8/0.0.0 /dev/sdb disk 60GB OCZ-AGILITY3

The disk is about to be wiped so make sure you’re not using a disk with important data on it. Using fdisk it’s time to wipe out any partitions and create a blank partition ready for LUKS encryption.

john@ubuntubackupserver:~$ sudo fdisk /dev/sda

Welcome to fdisk (util-linux 2.34).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x9feadadb.

Command (m for help):

You can delete partitions by typing ‘d’ and make partitions by typing ‘n’. Here I’m making a primary partition covering the whole disk.

Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-1073741823, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1073741823, default 1073741823):

Created a new partition 1 of type 'Linux' and of size 512 GiB.

Command (m for help):

The final step is to write the changes by typing ‘w’. However keep in mind this is the step that wipes your disk so be sure you’re doing it on the right disk!

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

LUKS Encryption

LUKS stands for Linux Unified Key Setup and is a common way to encrypt disks on Linux based systems. Using LUKS it’s easy to mount and recover data from your encrypted disk as long as you have the password to unlock it. Using cryptsetup we will encrypt the partition with LUKS and set a password for decryption.

john@ubuntubackupserver:~$ sudo cryptsetup -y -v luksFormat /dev/sda1

This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda1:
Verify passphrase:
Key slot 0 created.
Command successful.

Before we can add a file system to the encrypted partition we need to map it as the decryption/encryption needs to do it’s magic in between reads and writes to the disk.

john@ubuntubackupserver:~$ sudo cryptsetup luksOpen /dev/sda1 backup_hdd

To check your mapping is working as intended and also to see LUKS information you can type in this command.

john@ubuntubackupserver:~$ sudo cryptsetup -v status backup_hdd
/dev/mapper/backup_hdd is active.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/sda1
sector size: 512
offset: 32768 sectors
size: 1073707008 sectors
mode: read/write
Command successful.

The partition can now be used in a read/writeable state at ‘/dev/mapper/backup_hdd’ in the same way you would normally use ‘/dev/sda1’. It’s time to add a file system and I’ll be choosing ext4 for simplicity and reliability.

john@ubuntubackupserver:~$ sudo mkfs.ext4 /dev/mapper/backup_hdd -L "Backup Disk"
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 134213376 4k blocks and 33554432 inodes
Filesystem UUID: 2262b2e7-8d9a-42d2-ae92-08cdd540b7b3
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

Create a directory to use as a mounting point for the partition and give yourself read/write permissions.

john@ubuntubackupserver:~$ sudo mkdir /media/backup_hdd
john@ubuntubackupserver:~$ sudo chown john:john /media/backup_hdd

Mount the partition to the new directory and create/delete a test file to confirm it’s working.

john@ubuntubackupserver:~$ sudo mount /dev/mapper/backup_hdd /media/backup_hdd
john@ubuntubackupserver:~$ touch /media/backup_hdd/test
john@ubuntubackupserver:~$ ls /media/backup_hdd
lost+found test
john@ubuntubackupserver:~$ rm /media/backup_hdd/test
john@ubuntubackupserver:~$ ls /media/backup_hdd

Share this post

Leave a Reply