Precautions before encrypting array disks with LUKS


13 posts in this topic Last Reply

Recommended Posts

Hi,

 

I have been thinking of encrypting my array disks. I understand that :

  • Unraid uses LUKS2 to encrypt/decrypt disks
  • user can choose between either using a passphrase, or a key file
  • such passphrase or key file is used by Unraid upon start of the array to decrypt the AES master keys actually used by LUKS to encrypt/decrypt the drives (1 master key for each drive)
  • the latter master keys are stored in the LUKS header (1 header is present on each drive)

 

Based on the above, I am planning to take the following precautions:

  • Backup important data to a remote location before encrypting my array drives
  • Backup my passphrase to some reputable password manager
  • Backup the LUKS header of all drives by running commands like : "cryptsetup luksHeaderBackup --header-backup-file backup-file1 /dev/name1" and keeping the "backup-files" to a remote secure location

 

Are there any additional precautions that one can think of ?

 

Many thanks.

Best

OP

 

Selection of sources I have used so far:

 

https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions

 

 

 

 

 

 

Edited by Opawesome
Link to post

So you certainly have a lot of information already.. I can't really tell you anything useful but I can comment on my experiences thus far.  I don't know about the headers and such and if or why you'd need/want to back them up.

 

My experience is that the encryption can be a pain in the ass... Unraid's encryption system -- in my opinion - was implemented like it was an afterthought and not designed or implemented correctly to make using it easy.

 

I have not used the passphrase option, only the key file, and perhaps that's the real issue.

 

Any attempt at creating a secure keyfile -- i.e. removing the keyfile from /root where it resides at all times (meaning if someone accessed your server they would have access to the keyfile and could start the array without your interaction) introduces problems at being able to start the array with a remotely located keyfile -- there's no native solution to any sort of secure keyfile (the keyfile itself is stored in plaintext).

 

My personal experience is that if the keyfile is not already in /root and I attempt to start the array in the GUI by selecting the keyfile --- it will not start.  It fails 100% of the time saying invalid keyfile or something along those lines.  Using the GUI to start the array with a keyfile does not work, period.  For me.

 

Remotely downloading the keyfile upon reboot/Unraid start from the Go file generally works --- but still does not start the array.  Fails.

 

Thus far I've only been able to manually download the keyfile and/or manually creating the keyfile then manually starting the array from command line in probably not the best method --- but again, no method from the GUI works...

 

[code]echo -n 'MY KEY' > /root/keyfile && CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') && curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start&luksKey=/root/keyfile" http://localhost/update.htm[/code]

 

I don't know if the passphrase option works any better.

 

I'm actually, probably, most likely, maybe considering UN-encrypting my drives to get around all these problems... not sure on that yet.. but if I'm dead then good luck to any family members trying to start the server.....

 

Link to post

I would strongly advise against using encryption.. I shut down my array and can't even get the drives to mount again.  Every method I've used in the past will not work, the keyfile ends up being blank. I'm getting a little worried here.

Link to post

If you are not concerned with having the keyfile on the server's USB stick, then you can modify the 'go' file to automatically copy the file to auto decrypt the array.

 

I used an image (which I obviously backed up). 

 

Copy the file to /boot/config/keyfile

Create a 'go' entry to copy the file from /boot/config/keyfile to /root/keyfile

 

--

# cat /boot/config/go 
#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
cp /boot/config/keyfile /root/keyfile

 

Edited by ezhik
Link to post
3 hours ago, Energen said:

I would strongly advise against using encryption.. I shut down my array and can't even get the drives to mount again.  Every method I've used in the past will not work, the keyfile ends up being blank. I'm getting a little worried here.

 

That is very odd, are you sure something is not wrong with your setup?

Link to post
1 minute ago, ezhik said:

 

That is very odd, are you sure something is not wrong with your setup?

I managed to work it out with some help from doron.. was able to get things going again using the Go file to create the keyfile...

 

every attempt at using a keyfile from the GUI or any other method that I could think of (like my code above to create the keyfile and start the array) was resulting in an emtpy keyfile in /root so it was very worrying and aggravating.  I had changed out my hardware this morning so was praying I didn't inadvertently screw things up.  

 

All is well right now.

Link to post
8 minutes ago, Energen said:

I managed to work it out with some help from doron.. was able to get things going again using the Go file to create the keyfile...

 

every attempt at using a keyfile from the GUI or any other method that I could think of (like my code above to create the keyfile and start the array) was resulting in an emtpy keyfile in /root so it was very worrying and aggravating.  I had changed out my hardware this morning so was praying I didn't inadvertently screw things up.  

 

All is well right now.

 

As a rule of thumb, you also want to make sure you have a UPS setup to provide sufficient power for a graceful shutdown of your devices. 

Link to post
On 1/25/2021 at 5:19 PM, ezhik said:

If you are not concerned with having the keyfile on the server's USB stick, then you can modify the 'go' file to automatically copy the file to auto decrypt the array.

 

I used an image (which I obviously backed up). 

 

Copy the file to /boot/config/keyfile

Create a 'go' entry to copy the file from /boot/config/keyfile to /root/keyfile

 

--


# cat /boot/config/go 
#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
cp /boot/config/keyfile /root/keyfile

 

 

To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB.  I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite.  There are other options as well such as what's shown in this video.
 

 

Link to post
7 hours ago, IamSpartacus said:

 

To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB.  I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite.  There are other options as well such as what's shown in this video.
 

 

 

 

 

You want to make sure you avoid circular dependencies and shoot yourself in a foot. If your unRAID is also hosting VMs such as pfsense which is used for internet access, you might end up offline and with array offline.

Link to post
15 hours ago, ezhik said:

 

 

 

You want to make sure you avoid circular dependencies and shoot yourself in a foot. If your unRAID is also hosting VMs such as pfsense which is used for internet access, you might end up offline and with array offline.

 

Was this directed at me?

Link to post
On 1/28/2021 at 1:17 PM, ezhik said:

Yes. If it is a local network - no issue. If it has to connect to external sources, you might have a dependency on VMs and remote connectivity. 

 

Yes if the remote end of my VPN is down I'd have to manually start the server but thats extremely rare and I'm ok with that.  

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.