I have an Ubuntu 15.04 “Vivid” workstation already set up with LUKS full disk encryption, and I have a Synology DS414 NAS with 12TB raw storage on my home network. I wanted to add a disk volume on the Synology DS414 that I could mount on the Ubuntu server, but NFS doesn’t support “at rest” encrypted file systems, and using EncFS over NFS seemed like the wrong way to go about it, so I decided to try setting up an iSCSI volume and encrypting it with LUKS. Using this type of setup, all data is encrypted both “on the wire” and “at rest”.
Log into the Synology Admin Panel and select Main Menu > Storage Manager:
- Add an iSCSI LUN
- Set Thin Provisioning = No
- Advanced LUN Features = No
- Make the volume as big as you need
- Add an iSCSI Target
- Use CHAP authentication
- Write down the login name and password you choose
On your Ubuntu box switch over to a root prompt:
Install the open-iscsi drivers. (Since I’m already running LUKS on my Ubuntu box I don’t need to install LUKS.)
apt-get install open-iscsi
Edit the conf file
Edit these lines:
node.startup = automatic node.session.auth.username = [CHAP user name on Synology box] node.session.auth.password = [CHAP password on Synology box]
Restart the open-iscsi service:
service open-iscsi restart service open-iscsi status
Start open-iscsi at boot time:
systemctl enable open-iscsi
Now find the name of the iSCSI target on the Synology box:
iscsiadm -m discovery -t st -p $SYNOLOGY_IP iscsiadm -m node
The target name should look something like “iqn.2000-01.com.synology:boxname.target-1.62332311”
Still on the Ubuntu workstation, log into the iSCSI target:
iscsiadm -m node --targetname "$TARGET_NAME" --portal "$SYNOLOGY_IP:3260" --login
Look for new devices:
At this point fdisk should show you a new block device which is the iSCSI disk volume on the Synology box. In my case it was /dev/sdd.
Partition the device. I made one big /dev/sdd1 partition, type 8e (Linux LVM):
Set up the device as a LUKS-encrypted device:
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdd1
Open the LUKS volume:
cryptsetup luksOpen /dev/sdd1 backupiscsi
Create a physical volume from the LUKS volume:
Add that to a new volume group:
vgcreate ibackup /dev/mapper/backupiscsi
Create a logical volume within the volume group:
lvcreate -L 1800GB -n backupvol /dev/ibackup
Put a file system on the logical volume:
Add the logical volume to /etc/fstab to mount it on startup:
# Synology iSCSI target LUN-1 /dev/ibackup/backupvol /mnt/backup ext4 defaults,nofail,nobootwait 0 6
Get the UUID of the iSCSI drive:
ls -l /dev/disk/by-uuid | grep sdd1
Add the UUID to /etc/crypttab to be automatically prompted for the decrypt passphrase when you boot up Ubuntu:
backupiscsi UUID=693568ca-9334-4c19-8b01-881f2247ae0d none luks
If you found this interesting, you might want to check out my article Adding an external encrypted drive with LVM to Ubuntu Linux.
Hope you found this useful.
Extremely useful, thank you. I would just add a warning that it is necessary to use parted or gparted to create GPT partitions (in this example on /dev/sdd) larger than 2TB.
fdisk alone will not do that.
I understand what you’re saying, but my partition is larger than 2TB, and these are the commands that I used to create it. The thing you may have missed is that I did not create the LUN device using fdisk. I’m creating the LUN using the Synology Admin Panel and “Add an iSCSI LUN”. Under the hood Synology creates a device with a “gpt” disklabel, and fdisk can modify gpt devices just fine, even ones that are larger than 2TB.
A bigger issue (for me) is that when Ubuntu 18.04 came out there were changes made to systemd which loads something (iSCSI drivers? LUKS? LVM?) in a different order than 15.04 or 16.04 used. Due to that, on 18.04+ systems the encrypted iSCSI volume won’t automatically mount at boot time. I have to wait until the system boots, then manually mount the drive.
I’ve looked into it a couple of times and haven’t found a solution yet. If anyone has one I’d be interested to know what you find.
Same problem here, Ubuntu 18.04 / 20.x / 21 etc. runs into a timeout when booting, so I have to mount it manually later. I also can’t find a fix.