I'm setting up an encrypted file storage on a remote server and I want to be able to use it transparently on my system. I want to be able to de-/encrypt them locally so that the server hosting the files won't be able to see what is stored. (So I can store sensitive files on pretty much any VPS, without having to consider their trustworthiness or the security of their infrastructure)
My current battleplan is to use NFS through SSH, with a dmcrypt container which is then mounted by the client. (I thought about using SSHFS, but multiple users are going to use the same share, which SSHFS' wikipedia page advised against)
So my question is:
- If I have a dmcrypt container on a NFS server, will the file encryption/decryption happen locally on the client or remotely on the NFS server?
I would also appreciate it if you have any obvious caveats or got-ya's I should be careful to avoid 🙂
Best Answer
dmcrypt is a Linux feature; the encryption happens on your Linux client.
NFS provides basic file operations such as open, close, read, and write. From the NFS server's point of view, your client is just doing those basic file operations on a huge file. It doesn't care what the contents are, what format the contents are in, or what the contents mean.
You should consider, though, that if your connection is ever disrupted, your dmcrypt image could become corrupted. (If you weren't running an entire image on NFS, then the damage would be limited to specific files that were open at the time of the disruption.)