blog-image

Nextcloud - Data Encryption - LUKS - Raspberry PI - Rock64 (armhf-arm64)

  • dHENRY
  • 01/07/2020
  • (Reading time : 5 mn)

(**) Translated with www.DeepL.com/Translator

You have your own personal NextCloud storage, the external backup system is already in place, but have you thought about theft? If malicious people get into your system, they will be able to access all NextCloud data stored on the hard drives. Encrypting your data remains the most secure solution. If the server is stopped, restarting it will require providing the encryption password to access the NextCloud data.

This article explains how to migrate your production NextCloud data to a LUKS encrypted disk without changing the NextCloud configuration.

Topology

  • Unencrypted hard disk containing Nextcloud data: 500 Gb, only one partition mounted on /DiskNextCloud. Data is located in “/DiskNextCloud/nextcloud”.
  • A new 500Gb SSD

You will need to adapt this instruction to your topology.

Preparation

Warning : this operation requires the shutdown of the apache2 service, which is in charge of distributing the NextCloud application. Consequently, the latter will be unavailable for the entire duration of the operation, equivalent to the time required to copy all the production data to the encrypted disk.

  • Stop apache2 : systemctl stop apache2

Installing Cryptsetup

On the server with the NextCloud service, install the encryption service. :

apt-get install cryptsetup

Create the partition

Insert the SSD disk, then look up the allocated device with :

dmesg

In my case, i get :

[ 3165.174689] sd 6:0:0:0: [sdb] Optimal transfer size 33553920 bytes not a multiple of physical block size (4096 bytes)
[ 3165.178755] sd 6:0:0:0: [sdb] Attached SCSI disk

The device of the new disk is here : “/dev/sdb”

Create the partition

Use the fdisk command (I don’t detail here how it works). fdisk /dev/sdb, in my case, a single partition of type “83 (Linux)”.

The result after creating the single partition is :

Device                Start End Sectors Size Id Type
/dev/sdb1              2048 976773167 976771120 465.8G 83 Linux

Setup

  • First generate a password that will be requested during this process, you can use the “apg” utility. Warning, make a note of this password. Once created the encrypted partition can only be used if you provide the correct encryption key.

  • Set up the single partition “/dev/sdb1” in “Luks” format:

cryptsetup -q luksFormat /dev/sdb1
# The process asks you for the encryption password.

A LUKS encrypted partition supports up to 8 slots, i.e., 8 encryption passwords. You can check the available slots with the command :

cryptsetup luksDump /dev/sdb1

To open the encrypted container LUKS :

cryptsetup luksOpen /dev/sdb1 datanextcloud

/dev/sdb1 : LUKS encrypted partition on the SSD disk datanextcloud : Alias for the container. This alias can be any name, description, … and will be accessible through the mapper : “/dev/mapper/datanextcloud”

The execution of this command requires providing the encryption password.

Once the encrypted container is accessible, create a file system in “ext4” format (or other according to your needs).

mkfs -t ext4 /dev/mapper/datanextcloud

PS : I had to reboot the unit in order to properly access the mapper.

Now mount the file system to e.g. “/mnt/ssd”

mkdir /mnt/ssd
mount /dev/mapper/datanextcloud /mnt/ssd

Data transfer

Now transfer the data from the unencrypted disk to the encrypted LUKS partition using the “rsync” command.

Synchronizing the production disc to the new SSD disc

apt install rsync
rsync -ravH /DiskNextCloud/nextcloud /mnt/ssd/.

Wait for the complete end of data synchronization. Then proceed with the disassembly of the two partitions :

umount /DiskNextCloud
umount /mnt/ssd

Comment the auto-mount line corresponding to “/DiskNextCloud” in the file “/etc/fstab”..

Installation in the MytinyDC Datacenter

We’ll have to adapt the nextcloud boot, since mounting the encrypted disk will require providing the encryption key, and since I don’t have a console on this server, I’ll proceed with the complete boot of the service in “manual” mode. Consequences: if the server reboots (reboot), NextCloud will not be started automatically.

Preparation of the server

# LUKS Instalation 
apt-get install cryptsetup
# disabling the apache2 service at startup
systemctl disabled apache2
## In my case, rapsberry Pi4, Debian 10, I had to reboot the server to expose the "/dev/mapper" mapper.
reboot
# Nextcloud is no longer accessible for the moment.

Mounting the encrypted partition and booting Nextcloud (manual)

After startup, you will need to connect to the NextCloud server console to manually launch the NextCloud service. :

cryptsetup luksOpen /dev/sda1 datanextcloud
# Provide the encryption key
# The NextCloud mount point remains the same, the architecture hasn't changed
mount /dev/mapper/datanextcloud /DiskNextCloud
systemctl start apache2

Your NextCloud service is started and uses the new encrypted disk. If MytinyDC is stolen, only the hardware can be used for a new experience :)

Reading/Writing Performance Tests

These tests were done on a Rasbperry PI4

Support Reading (10Mo) Writing (10Mo) Reading (50Mo) Writing (50Mo)
Carte SD 337 MB/s 124 MB/s 496 MB/s 191 MB/s
USB3 hard drive (unencrypted - 5000 tr/mn) 650 MB/s 118 MB/s 657 MB/s 188 MB/s
USB3 Encrypted SSD Disk 596 MB/s 127 MB/s 685 MB/s 194 MB/s

Go further

  • Create a NextCloud service startup shell
  • Use the encryption key stored on an external support (USB key, API, etc…)
  • Mount the encrypted disk after inserting a USB key (automated system), do not forget to remove the USB device once the service has started.
  • The server sends an email to the administrator after each reboot.

This document was co-authored by Benjamin

Document licence : Creative Commons (CC BY-NC-ND 4.0)

THIS DOCUMENTATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND AND DISTRIBUTED FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR, CONTRIBUTORS TO THIS DOCUMENTATION OR ©MYTINYDC.COM SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGE THAT MAY RESULT FROM THE APPLICATION OF THE PROCEDURES IMPLEMENTED IN THIS DOCUMENTATION, OR FROM THE INCORRECT INTERPRETATION OF THIS DOCUMENT.

(**) Translated with www.DeepL.com/Translator