Posted by: Eric Hansen
Remote Mounting, SSH, truecrypt
While testing new security possibilities on my home network, I was wondering how to make TrueCrypt volumes accessible via the network, without one having to mount the container itself locally. Granted, I was doing all of this during a 2 A.M. programming-and-security binge, so I wasn’t thinking clearly, but I finally stumbled upon an old friend of mine, sshfs. Basically, what sshfs is is essentially mount for SSH. It connects to a given directory via SSH (so you can also use key authentication…with a little bit of trickery), and if the remote server already has a TrueCrypt container mounted, you can just use sshfs for that. Here’s how!
This article already assumes you’ve created a TrueCrypt container and have it mounted somewhere on the remote server (preferably as an ext2/3/4, as I haven’t tested this with anything else), and that you have sshfs installed. If you don’t use key authentication for SSH, then the command to use is pretty simple:
sshfs -p [port # to SSH] [owner_of_remote_directory]@[remote_host]:[remote_directory] [local_directory]
So, for example, I have username bob, who wants to mount /media/presentations (owned by username alice) on server 10.0.0.4 to his local directory /home/bob/work with SSH running on port 4000, the command would be:
sshfs -p 4000 email@example.com:/media/presentations /home/bob/work
Of course, you can omit the “-p [port]” part if you’re using the standard port 22. If, for example, username bob owned /media/presentations, however, you can omit the “bob@” part as well…pretty much all standard SSH stuff. This will mount the TrueCrypt-mounted container /media/presentations to /home/bob/work without any intervention with TrueCrypt. An added bonus to this is that the user doesn’t need to know the password to the TrueCrypt container, and all they have to worry about is authenticating via SSH.
Now, if you want to use an authentication key file, instead of standard password, that poses a different issue. I scratched my head for a while at this, not knowing what to do, until I realized the “-i” switch for SSH. First, the command:
sshfs -p [port] -o ssh_command=”ssh -i /path/to/.ssh/id_dsa” [remote_user]@[server]:[remote_directory] [local_directory]
We use -o ssh_command=”…” to tell sshfs to use a specific SSH command (if you don’t include ssh in the command argument, isshfs will error out). The rest is the same, and follows the same rules. When you go to connect to the remote server now, it’ll ask you for the passphrase (if you set one) for the key file. Make note though that the /path/to/.ssh/id_dsa should reflect your actual key file. My server uses DSA encryption (instead of RSA, which is normal), and is stored in my user’s home directory inside of .ssh. You also don’t want to use the .pub file (the public key file that is generated by ssh-keygen), but the private key. Your mileage may vary, however, as SSH is very versatile, not every set up will work the same.