This article assumes that you have a running Ubuntu Server and a dedicated hard disk for your files. If you use a RAID or only a partition on an existing hard disk, device names need to be adapted accordingly.
Table of contents
- Preparing & mounting the hard disk
- Preparing the share (Samba) server
- Mounting the share
Preparing & mounting the hard disk
The complete encryption part will be held briefly. More explanation on what is done can be found on my other article Create and use encrypted disk images with LUKS
First of all, the used partition needs to be encrypted. I will use AES encryption:
$ sudo cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/sdb1
After executing this command, a prompt to confirm and add a passphrase will appear. If sensible data is stored, I suggest using:
- at least 64 characters (LUKS has a compiled in limitation of 512 characters)
- lowercase letters
- uppercase letters
- a variety of different special characters (!@#$%*)
And store the passphrase in a safe place.
WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase:
In this example, the encrypted device will be mounted with the name
And create a filesystem on it.
$ sudo cryptsetup luksOpen /dev/sdb1 securenas $ sudo mkfs.ext4 /dev/mapper/securenas
After executing the above command, the predefined password is required for decryption.
Next, the device needs to be mounted at a location of choice.
$ sudo mkdir /srv/securenas $ sudo mount -t ext4 /dev/mapper/securenas ~/srv/securenas
/srv/securenas and whatever will be put inside, is encrypted.
Preparing the share (Samba) server
Depending on what kind of share is needed, a server is required.
In this example, I will be using Samba in order to have the possibility to use this server on GNU/Linux, Windows, Android and Mac.
$ sudo apt install samba
Samba requires a global configuration to allow users to log in, these lines
need to be edited in the
[global] section of
/etc/samba/smb.conf (on older
Ubuntu versions, this will be
workgroup = WORKGROUP security = user
For my personal files, I will create a share called
daniele. I recommend not
using the root folder in case multiple shares for multiple users are to be
Creating a share
this section needs therefore to be added at the end of the same file:
[daniele] comment = Daniele's share path = /srv/securenas/daniele browsable = yes guest ok = no read only = no create mask = 0755
If only one specific user is allowed to access this share, the key
valid users needs to be defined in the same section:
valid users = daniele
the specified directory is required before starting the samba server and needs to belong to noone.
$ sudo mkdir /srv/securenas/daniele $ sudo chown nobody:nogroup /srv/securenas/daniele
Next, the services need to be restarted:
$ sudo systemctl enable smbd.service nmbd.service $ sudo systemctl restart smbd.service nmbd.service
As the last step on the server, the user which is to access the share, needs to have a SMB password.
$ sudo smbpasswd -a daniele
Mounting the share
On the client, the share can now be mounted. The server is the server IP, the
share name is the title of the section, in this case
daniele. And in this
case, the user is also
On the client:
$ mkdir securenas $ sudo mount -t cifs -o user=daniele //192.168.1.17/daniele securenas