Install util-linux package for losetup command
sudo apt update && sudo apt install -y util-linux
install cryptsetup package
sudo apt update && sudo apt install -y cryptsetup
create an encryted iSCSI block inside a file stored on Btrfs
truncate -s 100G /data/iscsi_encrypted.img # Create a 100GB file
losetup /dev/loop0 /data/iscsi_encrypted.img # Attach as loop device
losetup -d /dev/loop0 #detach the loop device if you need to backup img file in future
cryptsetup luksFormat /dev/loop0 # Encrypt with LUKS
cryptsetup open /dev/loop0 iscsi_encrypted # Unlock
cryptsetup close /dev/loop0 iscsi_encrypted #umount in future if needed
mkfs.ext4 /dev/mapper/iscsi_encrypted # Format it
mount /dev/mapper/iscsi_encrypted /mnt/secure # Mount on local, unmount if mount remotely
Without Encryption
# 1️⃣ Create a 100GB file for the iSCSI block
truncate -s 100G /data/iscsi.img
# 2️⃣ Attach the file as a loop device
losetup /dev/loop0 /data/iscsi.img
# 3️⃣ Format the block with ext4 (No LUKS encryption)
mkfs.ext4 /dev/loop0
# 4️⃣ Mount it locally (if needed)
mount /dev/loop0 /mnt/secure
1️⃣ Set Up iSCSI Target Server
- Install iSCSI target tools:
apt-get install tgt # Install iSCSI target utilities
- Create an iSCSI target configuration:
nano /etc/tgt/conf.d/iscsi.conf
<target iqn.2025-02.com.100g:disk1>
backing-store /data/iscsi_encrypted.img
lun 0
initiator-address 192.168.1.100 # Limit access to your client
#initiator-address ALL #available for any connection
</target>
IQN format
iqn.YYYY-MM.reverse-domain-name:unique-name
- YYYY-MM → The year and month you registered the domain (or any valid date).
- reverse-domain-name → A domain name in reverse order (even if you don’t own it, you should use a unique name).
- unique-name → A custom identifier, like disk0, server1, storage, etc.
Example of Valid Names:
<target iqn.2025-02.myserver.storage:disk0>
<target iqn.2025-02.local.iscsi:mydisk>
<target iqn.2025-02.com.example:vm-disk1>
Example 1: Multiple LUNs in One Target
<target iqn.2025-02.com.example:storage>
backing-store /srv/iscsi0.img
lun 0
backing-store /srv/iscsi1.img
lun 1
backing-store /srv/iscsi2.img
lun 2
</target>
- The initiator will see one target (storage) with three disks:
Target: iqn.2025-02.com.example:storage
├── LUN 0 (iscsi0.img)
├── LUN 1 (iscsi1.img)
└── LUN 2 (iscsi2.img)
Example 2: One LUN Per Target
<target iqn.2025-02.com.example:disk0>
backing-store /srv/iscsi0.img
lun 0
</target>
<target iqn.2025-02.com.example:disk1>
backing-store /srv/iscsi1.img
lun 0
</target>
<target iqn.2025-02.com.example:disk2>
backing-store /srv/iscsi2.img
lun 0
</target>
- The initiator will see three separate targets, each containing one LUN:
Target: iqn.2025-02.com.example:disk0
└── LUN 0 (iscsi0.img)
Target: iqn.2025-02.com.example:disk1
└── LUN 0 (iscsi1.img)
Target: iqn.2025-02.com.example:disk2
└── LUN 0 (iscsi2.img)
- Restart the iSCSI service
systemctl restart tgt
- Verify the target is available:
tgtadm --mode target --op show
2️⃣ On the Client (iSCSI Initiator)
- Install iSCSI tools:
apt install open-iscsi
- Discover the iSCSI target:
iscsiadm -m discovery -t sendtargets -p <VPS_IP>
- Log in to the iSCSI target:
iscsiadm -m node -T iqn.2025-02.com.example:disk1 -p <VPS_IP> --login
- Find the new disk:
lsblk
3️⃣ Encrypt the iSCSI Disk on the Client
- Set up LUKS encryption:
cryptsetup luksFormat /dev/sdX
- Open the encrypted disk:
cryptsetup open /dev/sdX encrypted_iscsi
- Format and mount it:
mkfs.btrfs -L secure_storage /dev/mapper/encrypted_iscsi
mkdir /mnt/secure
mount /dev/mapper/encrypted_iscsi /mnt/secure
- automount on boot
acquire UUID
sudo /sbin/blkid /dev/mapper/iscsi_encrypted
🔹 This will return something like:
/dev/mapper/iscsi_encrypted: UUID="dev-uuid" BLOCK_SIZE="4096" TYPE="ext4"
acquire LUKS UUID
sudo /sbin/blkid | grep LUKS
/dev/sda: UUID="luks-uuid" TYPE="crypto_LUKS"
📌 Copy the UUID for the next step.
The iSCSI block is detected and available, but remains locked after boot and manually unlock it when needed and then access the files
Add Entry to /etc/fstab
UUID=<dev-uuid> /mnt/secure ext4 defaults,noauto 0 0
Add Entry to /etc/crypttab
encrypted_iscsi UUID=<luks-uuid> none luks,noauto
🔹 What Happens on Boot?
- The iSCSI block appears as an encrypted device
lsblk
Output:
NAME MOUNTPOINT FSTYPE
sdb
└─sdb1 crypto_LUKS
The system sees the block but cannot use it until you manually unlock it.
- Manually Unlock When Needed
sudo cryptsetup open /dev/disk/by-uuid/<luks-uuid> encrypted_iscsi
-
The system will prompt for the LUKS passphrase.
-
After unlocking, the device /dev/mapper/encrypted_iscsi will be available.
- Manually Mount the Filesystem
sudo mount /mnt/secure
- Now the files in /mnt/secure can be accessed.
restore backup img iscsi block steps
transfer the img file
rsync -avzh --progress /directory/iscsi_encrypted.img user@destinationip:/path/to/backup
verify File Integrity,if the checksums differ, the file may be corrupted, and you should re-transfer it.
sha256sum /path/to/local.img
sha256sum /path/to/remote.img
check File Size, ensure the file size matches the original, if the sizes differ, the transfer might have been incomplete.
ls -lh /path/to/local.img
ls -lh /path/to/remote.img
Check if the Image is a LUKS Device, Run the following command to check if the image contains a valid LUKS header:
cryptsetup luksDump /dev/loop5
or directly on the image:
cryptsetup luksDump /path/to/local.img
- If it fails with Device is not a valid LUKS device, the file might be corrupted or not actually a LUKS volume.
Check for File Corruption
a) Use file command
file /path/to/local.img
This should return something like:
/path/to/local.img: LUKS encrypted file, version 1/2
- If it doesn’t, the file might not be a valid LUKS device.
b) Check with losetup, Ensure that the loop device is correctly mapped:
losetup -a
If /dev/loop5 is not listed, manually set up the loop device:
losetup -Pf --show /path/to/local.img
Then retry:
cryptsetup luksOpen /dev/loopX iscsi_encrypted
- Replace loopX with the correct loop device.
unmount
umount /mnt/secure
close the LUKS volume
cryptsetup luksClose secure_volume
detach the loop device if you need to backup img file in future
losetup -d /dev/loop0
评论区