We’ve all hear about the Cloud. It’s on the Internet somewhere and some people must believe its just magic – or something like that. Technically, Cloud Servers are just Virtualized Servers. Like a Russian doll, its a Server in a Server. The big difference is that one Bare Metal server (the physical hardware) can host many Virtual Servers. This idea is what gives way to the idea of – queue dramatic music – “the Cloud”. Most Cloud Servers are not encrypted so the concept of Working with encrypted disks is kind of rare.
If you learned something from this first paragraph then that’s great! This is just a warning – the rest of this will be very technical in comparison. It will include Linux commands that deal with low-level file systems, disk encryption, and others.
There are only a few cases where using full disk encryption is a bad idea. These include…
Most disk encryption solutions use whats called Luks encryption. Luks stands for Linux Unified Key Setup and was initially developed in 2004. It’s the defacto disk encryption for the Linux Operating System and it’s what we’ll be talking about today.
A presumption that we’re using here is that you already have your disk image in a RAW format. Different Cloud Platforms use different disk formats. VMWare uses the VMDK format. XenServer uses OVA/OVF formats. KVM uses qcow2 and RAW formats. Hyper-V uses the VHD format. And so on and so on. The RAW format can be considered the most natural format to work with. It uses open standards and is widely used and understood.
When you have your encrypted RAW disk image (Cloud_Server_encrypted_disk.img) you’ll first need to know if there are multiple partitions in the image. We’ll use fdisk
# fdisk -l Cloud_Server_encrypted_disk.img
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xREMOVED
Device Boot Start End Sectors Size Id Type
Cloud_Server_encrypted_disk.img1 * 2048 1026047 1024000 500M 83 Linux
Cloud_Server_encrypted_disk.img2 1026048 104857599 103831552 49.5G 83 Linux
The results here are interesting. We know that the type is of the
The second partition, which is 49.5GB, is likely where the data you want lives. Take note of the “Start” section which is 1036048. We’ll also take note of the size of each sector. This number represents the
Now that we know the offset – 1026048*512 – we can mount the image as a loop device.
# losetup -o $((1026048*512)) /dev/loop0 Cloud_Server_encrypted_disk.img
As long as there are no errors your disk is mounted and ready to be decrypted and accessed for backup purposes. The following commands, in the order provided (note the ‘&&’ which ties commands in sequence as long as there are no errors from the previous command). You’ll be prompted for a password to decrypt the disk image, then will ensure the required Linux Kernel Module is loaded, then will update Linux Volume information for changes, display information about the Linux Volumes, then finally mount the now accessible disk image to a folder of your choosing.
# cryptsetup luksOpen /dev/loop0 _FILES_BACKUP && modprobe dm-mod && vgchange -ay && lvscan && mount /dev/vg_centos65/lv_root /mnt/existing_folder/
Enter passphrase for /home/username/Cloud_Server_encrypted_disk.img:
2 logical volume(s) in volume group "vg_centos65" now active
3 logical volume(s) in volume group "pve" now active
ACTIVE '/dev/vg_centos65/lv_root' [45.60 GiB] inherit
ACTIVE '/dev/vg_centos65/lv_swap' [3.91 GiB] inherit
ACTIVE '/dev/pve/swap' [8.00 GiB] inherit
ACTIVE '/dev/pve/root' [58.00 GiB] inherit
ACTIVE '/dev/pve/data' [147.34 GiB] inherit
You’ll then be able to navigate through the filesystem just like any other folder. Once you’re done backing up your data, or with whatever else you need to do with a backup image, you can unmount the disk using the following commands.
# umount /mnt/sdb/ && dmsetup remove vg_centos65-lv_root && dmsetup remove vg_centos65-lv_swap && cryptsetup luksClose /dev/mapper/_FILES_BACKUP && losetup -d /dev/loop0
There is some things to note here. Specifically, this works on linux – specifically a CentOS v6.5 installation of Linux. If you’re accessing a Debian, Ubuntu, or other flavors of Linux, your commands will likely be slightly different.
We hope that you find this helpful but if you require further information, or assistance, then feel free to contact us. We’re looking forward to helping.