0

I have an encrypted external disk on a linux server.

On the server, I can do this locally to decrypt cryptsetup -d keyfile luksOpen /dev/sdx1 /mnt/decrypted but I prefer to avoid doing that on the server side.

I want to access the server (via ssh/sshfs) and only decrypt the data remotely on my client machine.

To access and decrypt the data remotely, I have to

  1. mount the encrypted /dev/sdx1 locally on the server (without decrypting it!!) to /mnt/encrypted
  2. mount /mnt/encrypted via sshfs on a client machine (then use luksOpen to decrypt)

How can I do step 1 without decrypting data?

Thanks, Chris

ps: maybe I should just use an encrypted container (a file on the server's file system) and not a whole partition? This way I could mount the folder containing the encrypted container/file remotely via sshfs? (and only decrypt it on the client machine)

Improve this question
1

2 Answers 2

Reset to default
1

This is impossible to achieve with your current setup.

The only "proper" way to do that is to put your luks volume on a Network Block Device.

You may use drbd or iscsi to access the block device on your server and then setup Luks on it.

Improve this answer
4
  • thanks for the answer! what about using an encrypted luks container/file (not a partition), would that work across sshfs? Commented Nov 26, 2019 at 10:04
  • something like /srv/encrypted.img <---sshfs----> /client/encrypted.img -> /dev/loop0 -> cryptsetup luksOpen -> mount /dev/mapper/dm0 /mnt/decrypted Commented Nov 26, 2019 at 10:28
  • Yeah, that will probably work. You can also use cryptmount which way of operation looks more compatible to what you want to do. Anyway, with that solution, take care of your private key which is usually stored under /etc/ ... if it's lost, your data are too. Commented Nov 26, 2019 at 10:37
  • I can confirm now: yes I can mount and decrypt luks remotely (via sshfs) if I use a luks container (not a luks partition) to hold the encrypted data. I just had to create a luks container (a file that holds internally the encrypted filesystem), this file is a normal file on a mounted partition so it can be mounted remotely via sshsfs and decrypted later (via loop device -> mapper device -> mount). Thanks Commented Nov 26, 2019 at 16:00
1

I can mount and decrypt luks remotely (via sshfs) if I use a luks container (and not a luks partition) to hold the encrypted data.

I just had to create a luks container (a file that holds internally the encrypted filesystem), this file is a normal file on a mounted partition so it can be mounted remotely via sshfs and decrypted later (via loop device -> mapper device -> mount).

I have tested this and I can confirm it works.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.