post

Adding a LUKS-encrypted iSCSI volume to TrueNAS and Ubuntu 24.04

Posted on by

I have an Ubuntu 24.04 “Noble Numbat” workstation already set up with LUKS full disk encryption, and I have a Terra Master F4-424 NAS with 32TB raw storage that I installed TrueNAS Scale on. Years ago I set up a LUKS-encrypted iSCSI volume on a Synology NAS and used that to back up my main Ubuntu server, and I wanted to do the same thing using TrueNAS.

Create the iSCSI volume on TrueNAS

Log into the TrueNAS Scale Web UI and select System > Services. Make sure that the iSCSI service is running and set to start automatically.

Select Datasets > Add Dataset to create a new storage pool.

  • Add Dataset
    • Parent Path: [I used my main data pool]
    • Name: ibackup
    • Dataset Preset: Generic

Select Shares > Block (iSCSI) Shares Targets > Wizard to create a new iSCSI target.

  • Block Device
    • Name: ibackup
    • Extent Type: Device
    • Device: Create New
    • Pool/Dataset: [select the dataset that you created in the previous step]
    • Size: 3 TiB [How many TiB do you want?]
    • Sharing Platform: Modern OS
    • Target: Create New
  • Portal
    • Portal: Create New
    • Discovery Authentication Method: CHAP
    • Discovery Authentication Group: Create New
    • User: CHAP user name (doesn’t need to be a real user, can be any name)
    • Secret: CHAP user password (make sure you write the user name and password down)
    • IP Address: Click Add. [If you only want one specific IP address to be able to connect, enter it. If you don’t care, use 0.0.0.0]
  • Initiator
    • Initiators: [Leave blank to allow all or enter a list of initiator hostnames]
  • Click Save. You’ve now created an iSCSI volume that you can mount from across your network.

Get the iSCSI volume to appear as a block device on Linux

On your Ubuntu box switch over to a root prompt:

sudo su

Install the open-iscsi drivers. (Since I’m already running LUKS on my Ubuntu box I don’t need to install LUKS.)

apt-get install open-iscsi

Edit the conf file

vi /etc/iscsi/iscsid.conf

Edit these lines:

node.startup = automatic
node.session.auth.username = [CHAP user name on TrueNAS box]
node.session.auth.password = [CHAP password on TrueNAS box]

Restart the open-iscsi service:

systemctl restart open-iscsi
systemctl status open-iscsi

Start open-iscsi at boot time:

systemctl enable open-iscsi

Now find the name of the iSCSI target on the TrueNAS box:

iscsiadm -m discovery -t st -p $NAS_IP
iscsiadm -m node

The target name should look something like “iqn.2005-10.org.freenas.ctl:ibackup”

Still on the Ubuntu workstation, log into the iSCSI target:

iscsiadm -m node --targetname "$TARGET_NAME" --portal "$NAS_IP:3260" --login

Look for new devices:

fdisk -l | less

At this point fdisk should show you a new block device which is the iSCSI disk volume on the Synology box. In my case it was /dev/sda.

Set up the block device as an encrypted file system

Partition the device. I made one big /dev/sda1 partition, type 8e (Linux LVM):

gparted /dev/sda

Set up the partition as a LUKS-encrypted volume:

cryptsetup --verbose --verify-passphrase luksFormat /dev/sda1

You’ll be asked to type “YES” to confirm. Typing “y” or “Y” or “yes” will not work. You have to type “YES”.

Open the LUKS volume:

cryptsetup luksOpen /dev/sda1 backupiscsi

Create a physical volume from the LUKS volume:

pvcreate /dev/mapper/backupiscsi

Add that to a new volume group:

vgcreate ibackup /dev/mapper/backupiscsi

Create a logical volume within the volume group using all available space:

lvcreate -l +100%FREE -n backupvol /dev/ibackup

Put a file system on the logical volume:

mkfs.ext4 /dev/ibackup/backupvol

Add the logical volume to /etc/fstab to mount it on startup:

# TrueNAS iSCSI target
/dev/ibackup/backupvol /mnt/backup ext4 defaults,nofail,nobootwait 0 6

Get the UUID of the iSCSI drive:

ls -l /dev/disk/by-uuid | grep sda1

Add the UUID to /etc/crypttab to be automatically prompted for the decrypt passphrase when you boot up Ubuntu:

backupiscsi UUID=693568ca-9334-4c19-8b01-881f2247ae0d none luks

That’s pretty much it. The next time you boot you’ll be prompted for the decrypt passphrase before the drive will mount. If you type df -h you should see a new disk mounted on /mnt/backup.

If you found this interesting, you might want to check out my article Adding an external encrypted drive with LVM to Ubuntu Linux.

Hope you found this useful.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.