This article assumes that you have a running Ubuntu Server and a dedicated hard disk for your files. If you use a RAID or only a partition on an existing hard disk, device names need to be adapted accordingly.

Table of contents

Preparing & mounting the hard disk

The complete encryption part will be held briefly. More explanation on what is done can be found on my other article Create and use encrypted disk images with LUKS

First of all, the used partition needs to be encrypted. I will use AES encryption:

$ sudo cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/sdb1

After executing this command, a prompt to confirm and add a passphrase will appear. If sensible data is stored, I suggest using:

  • at least 64 characters (LUKS has a compiled in limitation of 512 characters)
  • lowercase letters
  • uppercase letters
  • a variety of different special characters (!@#$%*)

And store the passphrase in a safe place.

This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 

In this example, the encrypted device will be mounted with the name securenas And create a filesystem on it.

$ sudo cryptsetup luksOpen /dev/sdb1 securenas
$ sudo mkfs.ext4 /dev/mapper/securenas

After executing the above command, the predefined password is required for decryption.

Next, the device needs to be mounted at a location of choice.

$ sudo mkdir /srv/securenas
$ sudo mount -t ext4 /dev/mapper/securenas ~/srv/securenas

Now, /srv/securenas and whatever will be put inside, is encrypted.

Preparing the share (Samba) server

Depending on what kind of share is needed, a server is required.

Installing Samba

In this example, I will be using Samba in order to have the possibility to use this server on GNU/Linux, Windows, Android and Mac.

$ sudo apt install samba

Samba requires a global configuration to allow users to log in, these lines need to be edited in the [global] section of /etc/samba/smb.conf (on older Ubuntu versions, this will be /etc/samba.conf)

workgroup = WORKGROUP
security = user

For my personal files, I will create a share called daniele. I recommend not using the root folder in case multiple shares for multiple users are to be created.

Creating a share

this section needs therefore to be added at the end of the same file:

    comment = Daniele's share
    path = /srv/securenas/daniele
    browsable = yes
    guest ok = no
    read only = no
    create mask = 0755

If only one specific user is allowed to access this share, the key valid users needs to be defined in the same section:

valid users = daniele

the specified directory is required before starting the samba server and needs to belong to noone.

$ sudo mkdir /srv/securenas/daniele
$ sudo chown nobody:nogroup /srv/securenas/daniele

Next, the services need to be restarted:

$ sudo systemctl enable smbd.service nmbd.service
$ sudo systemctl restart smbd.service nmbd.service

As the last step on the server, the user which is to access the share, needs to have a SMB password.

$ sudo smbpasswd -a daniele

Mounting the share

On the client, the share can now be mounted. The server is the server IP, the share name is the title of the section, in this case daniele. And in this case, the user is also daniele.

On the client:

$ mkdir securenas
$ sudo mount -t cifs -o user=daniele // securenas