Encrypt your data

Any work that holds sensitive data should protect them from prying eyes. Data protection is a huge subject and there is no single solution to fit everything, so this guide doesn’t suggest that will cover everything but give some suggestions.

Screenshot: Analysis operations on .db with structured data on a custom face dataset built with the open-source recops library.

This is a simple guide on how to setup LUKS container and store recops data in it. Keep in mind that the guide works on linux/unix based systems only. Throughout this guide we assume that we have an external drive under /dev/sdX.

ENCRYPT DRIVE

Setup LUKs container on external drive (with detached header). LUKs enrypted disk is composed by a header contains information of how the content is encrypted and the actual encrypted data. The header is a vital component and without it the data are irrecoverable even if we know the encrypted password.

In our setup we will seperate the header and not include it in the disk. Thus, if the disk falls in wrong hands will not be readable.

# First we generate a random encryption key
dd if=/dev/random bs=64 count=1 of=/tmp/key.bin

# Second we setup Luks on our disk with detached header
sudo cryptsetup luksFormat \
        --key-file=/tmp/key.bin \
        --header=/tmp/header.bin \
        /dev/sdX

# Then we mount the enrypted volume
sudo cryptsetup open --key-file=/tmp/key.bin --header=/tmp/header.bin /dev/sdX recops

# And format encrypted volume as ext4 (could use btrfs or other filesystem here)
mkfs.ext4 /dev/mapper/recops

# Last we close enrypted volume
sudo cryptsetup close recops

At this point we have completed encrypted volume setup. Now we should store securely the header and the encryption key; we will use gpg to do so.

Another suggestion would be to use pass (GNU password store) which use gpg underneath but it is up to you to choose your own tools.

# Encrypt header
gpg --encrypt --sign --armor --recipient [user 1] --recipient [user 2] ... --output ~/header.bin.asc /tmp/header.bin

# Encrypt key
gpg --encrypt --sign --armor --recipient [user 1] --recipient [user 2] ... --output ~/key.bin.asc /tmp/key.bin

# Securely delete unencrypted header and key files 
shred -uvz -n 5 /tmp/key.bin /tmp/header.bin

USE ENCRYPTED DRIVE

In order to use our encrypted disk we need to decrypt it then mount it and point recops to store the data there.

# First decrypt header and key in a temporary location 
gpg --decrypt --output /tmp/key.bin    ~/key.bin.asc
gpg --decrypt --output /tmp/header.bin ~/header.bin.asc

# Open luks container
sudo cryptsetup open --key-file=/tmp/key.bin --header=/tmp/header.bin /dev/sdX recops

# Mount volume
mkdir -p /mnt/recops
sudo mount /dev/mapper/recops /mnt/recops

# Change ownership to our user so we can run recops as unpreviledged user.
sudo chown -R $USER /mnt/recops

# Delete unecrypted header and key from temporary location
shred -uvz -n 5 /tmp/key.bin /tmp/header.bin

Last we need to direct recops to store files and database to encrypted volume.

mkdir -p /mnt/recops/data
export STORAGE_URI=file:///mnt/recops/data
export DATABASE_URI=sqlite:////mnt/recops/data/recops.db
recops --help

Now we are good to go. When we finish our work then we simply close our encrypted disk.

sudo umount /mnt/recops
sudo cryptsetup close recops
Powered by Hugo with Console Theme.