To create disk image and mount point (and keep that private):
mkdir ~/Private dd if=/dev/zero of=~/Documents/Private.ext4.crypt bs=1M count=40000 chmod go-wrx ~/Documents/Private.ext4.crypt ~/Private
sudo cryptsetup luksFormat ~/Documents/Private.ext4.crypt
sudo cryptsetup luksOpen ~/Documents/Private.ext4.crypt `id -un`-private # Create ext4 FS sudo mkfs.ext4 /dev/mapper/`id -un`-private # Mount it and make it user owned (only needed once) sudo mount /dev/mapper/`id -un`-private ~/Private sudo chown `id -un`:`id -gn` ~/Private sudo chmod go-rxw ~/Private # Close sudo umount ~/Private sudo cryptsetup luksClose `id -un`-private
sudo cryptsetup luksOpen ~/Documents/Private.ext4.crypt `id -un`-private sudo mount /dev/mapper/`id -un`-private ~/Private
sudo umount ~/Private sudo cryptsetup luksClose `id -un`-private
mkdir ~/Private/backup rsync -lavz --delete banshee.local:Documents/bto Private/backup
#echo "/home/`id -un`/Private/backup banshee.local(rw,sync,no_subtree_check)" | sudo tee -a /etc/exports #sudo service nfs-server restart sudo exportfs -o rw,sync,no_subtree_check banshee.local:/home/`id -un`/Private/backup # on client: # Note: mounting as (unsecure) nfsv3 since v4 will fail on permissions sudo mount.nfs -o rw,v3 bang.local:/home/`id -un`/Private/backup /media/bang # To stop share # on Client: sudo umount /media/bang # on server: sudo exportfs -u banshee.local:/home/`id -un`/Private/backup
echo "`id -un` ALL=NOPASSWD: /usr/local/bin/nfs-share" | sudo tee /etc/sudoers.d/nfs-share ssh bang.local nfs-share start sudo mount.nfs -o rw,v3 bang.local:/home/`id -un`/Private/backup /media/bang sudo umount -f -l /media/bang
The following script can be used to mount encrypted volume (local or remote)
sudo vim /usr/local/bin/mount-priv
#!/bin/sh
# Will (u)mount ~/Private from ~/Documents/Private.ext4.crypt file
# Invoke as normal user (will sudo itself): mount-priv start|stop
# for root: uses mount-priv <id> start|stop
# Check if user is root, if not sudo ...
id=`id -un`
if [ $id != "root" ]; then
sudo "$0" "$id" "$1"
exit $?
fi
# We check $1 is a valid user
id -u "$1" &> /dev/null
if [ $? != 0 ]; then echo "User $1 does not exist"; exit 1; fi
# We are root, $1 is (valid) user, $2 is command
img="/home/$1/Documents/Private.ext4.crypt"
case "$2" in
start)
if [ -e "/dev/mapper/$1-private" ] ; then
echo "Warning: /dev/mapper/$1-private already exist, trying to use that"
else
# We need to enter password, so check if shell is interactive
if [ ! -t 0 ] ; then
echo -e "\e[91mError: must use an interactive shell\e[0m"
echo -e " If remote, consider using 'ssh -t ...'"
exit 1
fi
echo "Mounting private dir for user $1..."
cryptsetup luksOpen "$img" "$1-private"
if [ $? != 0 ] ; then
echo -e "\e[91mError: can't decrypt '$img'\e[0m"
exit 1;
fi
fi
mount "/dev/mapper/$1-private" "/home/$1/Private"
[ $? != 0 ] && exit $?
echo -e "... done. \e[91mDo not forget to stop.\e[0m"
;;
stop)
echo "Stop sharing '$1' private dir..."
umount "/home/$1/Private"
cryptsetup luksClose "$1-private"
[ $? == 0 ] && echo "... done."
;;
*)
echo "Usage: $0 start|stop"
;;
esac;
Configuration
sudo chmod 755 /usr/local/bin/mount-priv # To allow sudo with no password: echo "`id -un` ALL=NOPASSWD: /usr/local/bin/mount-priv" | sudo tee /etc/sudoers.d/user-priv
Usage:
# Local mount-priv start mount-priv stop ssh -t bang.local mount-priv start ssh bang.local mount-priv startNote: mount-priv should be invoke as regular user.
/usr/local/bin/nfs-share-priv
14-Oct-2019
