January 22, 20215 yr Hi, I have been thinking of encrypting my array disks. I understand that : Unraid uses LUKS2 to encrypt/decrypt disks user can choose between either using a passphrase, or a key file such passphrase or key file is used by Unraid upon start of the array to decrypt the AES master keys actually used by LUKS to encrypt/decrypt the drives (1 master key for each drive) the latter master keys are stored in the LUKS header (1 header is present on each drive) Based on the above, I am planning to take the following precautions: Backup important data to a remote location before encrypting my array drives Backup my passphrase to some reputable password manager Backup the LUKS header of all drives by running commands like : "cryptsetup luksHeaderBackup --header-backup-file backup-file1 /dev/name1" and keeping the "backup-files" to a remote secure location Are there any additional precautions that one can think of ? Many thanks. Best OP Selection of sources I have used so far: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions Edited January 22, 20215 yr by Opawesome
January 22, 20215 yr So you certainly have a lot of information already.. I can't really tell you anything useful but I can comment on my experiences thus far. I don't know about the headers and such and if or why you'd need/want to back them up. My experience is that the encryption can be a pain in the ass... Unraid's encryption system -- in my opinion - was implemented like it was an afterthought and not designed or implemented correctly to make using it easy. I have not used the passphrase option, only the key file, and perhaps that's the real issue. Any attempt at creating a secure keyfile -- i.e. removing the keyfile from /root where it resides at all times (meaning if someone accessed your server they would have access to the keyfile and could start the array without your interaction) introduces problems at being able to start the array with a remotely located keyfile -- there's no native solution to any sort of secure keyfile (the keyfile itself is stored in plaintext). My personal experience is that if the keyfile is not already in /root and I attempt to start the array in the GUI by selecting the keyfile --- it will not start. It fails 100% of the time saying invalid keyfile or something along those lines. Using the GUI to start the array with a keyfile does not work, period. For me. Remotely downloading the keyfile upon reboot/Unraid start from the Go file generally works --- but still does not start the array. Fails. Thus far I've only been able to manually download the keyfile and/or manually creating the keyfile then manually starting the array from command line in probably not the best method --- but again, no method from the GUI works... [code]echo -n 'MY KEY' > /root/keyfile && CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') && curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start&luksKey=/root/keyfile" http://localhost/update.htm[/code] I don't know if the passphrase option works any better. I'm actually, probably, most likely, maybe considering UN-encrypting my drives to get around all these problems... not sure on that yet.. but if I'm dead then good luck to any family members trying to start the server.....
January 25, 20215 yr I would strongly advise against using encryption.. I shut down my array and can't even get the drives to mount again. Every method I've used in the past will not work, the keyfile ends up being blank. I'm getting a little worried here.
January 25, 20215 yr If you are not concerned with having the keyfile on the server's USB stick, then you can modify the 'go' file to automatically copy the file to auto decrypt the array. I used an image (which I obviously backed up). Copy the file to /boot/config/keyfile Create a 'go' entry to copy the file from /boot/config/keyfile to /root/keyfile -- # cat /boot/config/go #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & cp /boot/config/keyfile /root/keyfile Edited January 25, 20215 yr by ezhik
January 25, 20215 yr 3 hours ago, Energen said: I would strongly advise against using encryption.. I shut down my array and can't even get the drives to mount again. Every method I've used in the past will not work, the keyfile ends up being blank. I'm getting a little worried here. That is very odd, are you sure something is not wrong with your setup?
January 25, 20215 yr 1 minute ago, ezhik said: That is very odd, are you sure something is not wrong with your setup? I managed to work it out with some help from doron.. was able to get things going again using the Go file to create the keyfile... every attempt at using a keyfile from the GUI or any other method that I could think of (like my code above to create the keyfile and start the array) was resulting in an emtpy keyfile in /root so it was very worrying and aggravating. I had changed out my hardware this morning so was praying I didn't inadvertently screw things up. All is well right now.
January 25, 20215 yr 8 minutes ago, Energen said: I managed to work it out with some help from doron.. was able to get things going again using the Go file to create the keyfile... every attempt at using a keyfile from the GUI or any other method that I could think of (like my code above to create the keyfile and start the array) was resulting in an emtpy keyfile in /root so it was very worrying and aggravating. I had changed out my hardware this morning so was praying I didn't inadvertently screw things up. All is well right now. As a rule of thumb, you also want to make sure you have a UPS setup to provide sufficient power for a graceful shutdown of your devices.
January 27, 20215 yr On 1/25/2021 at 5:19 PM, ezhik said: If you are not concerned with having the keyfile on the server's USB stick, then you can modify the 'go' file to automatically copy the file to auto decrypt the array. I used an image (which I obviously backed up). Copy the file to /boot/config/keyfile Create a 'go' entry to copy the file from /boot/config/keyfile to /root/keyfile -- # cat /boot/config/go #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & cp /boot/config/keyfile /root/keyfile To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB. I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite. There are other options as well such as what's shown in this video.
January 27, 20215 yr 7 hours ago, IamSpartacus said: To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB. I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite. There are other options as well such as what's shown in this video. You want to make sure you avoid circular dependencies and shoot yourself in a foot. If your unRAID is also hosting VMs such as pfsense which is used for internet access, you might end up offline and with array offline.
January 28, 20215 yr 15 hours ago, ezhik said: You want to make sure you avoid circular dependencies and shoot yourself in a foot. If your unRAID is also hosting VMs such as pfsense which is used for internet access, you might end up offline and with array offline. Was this directed at me?
January 28, 20215 yr Yes. If it is a local network - no issue. If it has to connect to external sources, you might have a dependency on VMs and remote connectivity.
January 29, 20215 yr Author Wow, my thread got hijacked hard :-). I am glad you (@Energen) were able to solve your issues. Edited January 29, 20215 yr by Opawesome
February 1, 20215 yr On 1/28/2021 at 1:17 PM, ezhik said: Yes. If it is a local network - no issue. If it has to connect to external sources, you might have a dependency on VMs and remote connectivity. Yes if the remote end of my VPN is down I'd have to manually start the server but thats extremely rare and I'm ok with that.
May 26, 20215 yr Author If anyone is interested, below is a link to the script I wrote and which performs a backup of LUKS headers:
June 2, 20215 yr On 1/27/2021 at 7:58 AM, IamSpartacus said: To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB. I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite. There are other options as well such as what's shown in this video. Sorry if this question has already been asked, but I plan on putting mine on a USB key that is behind a keystone wall jack. I'm making the assumption that a thief will not be taking my wall plates apart to search for a USB key. I haven't set this up yet, but plan on resetting my server with encryption. I'm a novice user, but I'm not seeing any reason why this wouldn't work for others.
June 2, 20215 yr 7 minutes ago, HenryL said: I plan on putting mine on a USB key that is behind a keystone wall jack. Links to parts you plan to use? I'm curious how you are planning to accomplish that. Keystone AF / AF with AM / AM cable connected to the server?
June 7, 20215 yr On 6/1/2021 at 7:08 PM, jonathanm said: Links to parts you plan to use? I'm curious how you are planning to accomplish that. Keystone AF / AF with AM / AM cable connected to the server? USB Keystone. I believe I have enough room in the wall, if not, I'll use a small USB jumper cable. I only plan to do this with the decryption key if possible, otherwise I put the whole thing inside wall. (I included the names instead of links so you can choose your own vender. Amazon is faster, but eBay is cheaper, especially when buying in bulk.) USB 3.0 Keystone SAMSUNG MUF-32AB/AM FIT Plus 32GB Edited June 7, 20215 yr by HenryL Image was too big / Forgot to include links
June 7, 20215 yr 1 hour ago, HenryL said: USB Keystone. I believe I have enough room in the wall, if not, I'll use a small USB jumper cable. How are you connecting the keystone to the server?
June 14, 20215 yr USB cable. Sorry I wasn't clear earlier. Edited June 14, 20215 yr by HenryL spelling
Archived
This topic is now archived and is closed to further replies.