Opawesome Posted January 22, 2021 Share Posted January 22, 2021 (edited) Hi, I have been thinking of encrypting my array disks. I understand that : Unraid uses LUKS2 to encrypt/decrypt disks user can choose between either using a passphrase, or a key file such passphrase or key file is used by Unraid upon start of the array to decrypt the AES master keys actually used by LUKS to encrypt/decrypt the drives (1 master key for each drive) the latter master keys are stored in the LUKS header (1 header is present on each drive) Based on the above, I am planning to take the following precautions: Backup important data to a remote location before encrypting my array drives Backup my passphrase to some reputable password manager Backup the LUKS header of all drives by running commands like : "cryptsetup luksHeaderBackup --header-backup-file backup-file1 /dev/name1" and keeping the "backup-files" to a remote secure location Are there any additional precautions that one can think of ? Many thanks. Best OP Selection of sources I have used so far: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions Edited January 22, 2021 by Opawesome Quote Link to comment
Energen Posted January 22, 2021 Share Posted January 22, 2021 So you certainly have a lot of information already.. I can't really tell you anything useful but I can comment on my experiences thus far. I don't know about the headers and such and if or why you'd need/want to back them up. My experience is that the encryption can be a pain in the ass... Unraid's encryption system -- in my opinion - was implemented like it was an afterthought and not designed or implemented correctly to make using it easy. I have not used the passphrase option, only the key file, and perhaps that's the real issue. Any attempt at creating a secure keyfile -- i.e. removing the keyfile from /root where it resides at all times (meaning if someone accessed your server they would have access to the keyfile and could start the array without your interaction) introduces problems at being able to start the array with a remotely located keyfile -- there's no native solution to any sort of secure keyfile (the keyfile itself is stored in plaintext). My personal experience is that if the keyfile is not already in /root and I attempt to start the array in the GUI by selecting the keyfile --- it will not start. It fails 100% of the time saying invalid keyfile or something along those lines. Using the GUI to start the array with a keyfile does not work, period. For me. Remotely downloading the keyfile upon reboot/Unraid start from the Go file generally works --- but still does not start the array. Fails. Thus far I've only been able to manually download the keyfile and/or manually creating the keyfile then manually starting the array from command line in probably not the best method --- but again, no method from the GUI works... [code]echo -n 'MY KEY' > /root/keyfile && CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') && curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start&luksKey=/root/keyfile" http://localhost/update.htm[/code] I don't know if the passphrase option works any better. I'm actually, probably, most likely, maybe considering UN-encrypting my drives to get around all these problems... not sure on that yet.. but if I'm dead then good luck to any family members trying to start the server..... 1 Quote Link to comment
Energen Posted January 25, 2021 Share Posted January 25, 2021 I would strongly advise against using encryption.. I shut down my array and can't even get the drives to mount again. Every method I've used in the past will not work, the keyfile ends up being blank. I'm getting a little worried here. Quote Link to comment
ezhik Posted January 25, 2021 Share Posted January 25, 2021 (edited) If you are not concerned with having the keyfile on the server's USB stick, then you can modify the 'go' file to automatically copy the file to auto decrypt the array. I used an image (which I obviously backed up). Copy the file to /boot/config/keyfile Create a 'go' entry to copy the file from /boot/config/keyfile to /root/keyfile -- # cat /boot/config/go #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & cp /boot/config/keyfile /root/keyfile Edited January 25, 2021 by ezhik Quote Link to comment
ezhik Posted January 25, 2021 Share Posted January 25, 2021 3 hours ago, Energen said: I would strongly advise against using encryption.. I shut down my array and can't even get the drives to mount again. Every method I've used in the past will not work, the keyfile ends up being blank. I'm getting a little worried here. That is very odd, are you sure something is not wrong with your setup? Quote Link to comment
Energen Posted January 25, 2021 Share Posted January 25, 2021 1 minute ago, ezhik said: That is very odd, are you sure something is not wrong with your setup? I managed to work it out with some help from doron.. was able to get things going again using the Go file to create the keyfile... every attempt at using a keyfile from the GUI or any other method that I could think of (like my code above to create the keyfile and start the array) was resulting in an emtpy keyfile in /root so it was very worrying and aggravating. I had changed out my hardware this morning so was praying I didn't inadvertently screw things up. All is well right now. Quote Link to comment
ezhik Posted January 25, 2021 Share Posted January 25, 2021 8 minutes ago, Energen said: I managed to work it out with some help from doron.. was able to get things going again using the Go file to create the keyfile... every attempt at using a keyfile from the GUI or any other method that I could think of (like my code above to create the keyfile and start the array) was resulting in an emtpy keyfile in /root so it was very worrying and aggravating. I had changed out my hardware this morning so was praying I didn't inadvertently screw things up. All is well right now. As a rule of thumb, you also want to make sure you have a UPS setup to provide sufficient power for a graceful shutdown of your devices. Quote Link to comment
IamSpartacus Posted January 27, 2021 Share Posted January 27, 2021 On 1/25/2021 at 5:19 PM, ezhik said: If you are not concerned with having the keyfile on the server's USB stick, then you can modify the 'go' file to automatically copy the file to auto decrypt the array. I used an image (which I obviously backed up). Copy the file to /boot/config/keyfile Create a 'go' entry to copy the file from /boot/config/keyfile to /root/keyfile -- # cat /boot/config/go #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & cp /boot/config/keyfile /root/keyfile To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB. I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite. There are other options as well such as what's shown in this video. 1 Quote Link to comment
ezhik Posted January 27, 2021 Share Posted January 27, 2021 7 hours ago, IamSpartacus said: To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB. I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite. There are other options as well such as what's shown in this video. You want to make sure you avoid circular dependencies and shoot yourself in a foot. If your unRAID is also hosting VMs such as pfsense which is used for internet access, you might end up offline and with array offline. Quote Link to comment
IamSpartacus Posted January 28, 2021 Share Posted January 28, 2021 15 hours ago, ezhik said: You want to make sure you avoid circular dependencies and shoot yourself in a foot. If your unRAID is also hosting VMs such as pfsense which is used for internet access, you might end up offline and with array offline. Was this directed at me? Quote Link to comment
ezhik Posted January 28, 2021 Share Posted January 28, 2021 Yes. If it is a local network - no issue. If it has to connect to external sources, you might have a dependency on VMs and remote connectivity. Quote Link to comment
Opawesome Posted January 29, 2021 Author Share Posted January 29, 2021 (edited) Wow, my thread got hijacked hard :-). I am glad you (@Energen) were able to solve your issues. Edited January 29, 2021 by Opawesome Quote Link to comment
IamSpartacus Posted February 1, 2021 Share Posted February 1, 2021 On 1/28/2021 at 1:17 PM, ezhik said: Yes. If it is a local network - no issue. If it has to connect to external sources, you might have a dependency on VMs and remote connectivity. Yes if the remote end of my VPN is down I'd have to manually start the server but thats extremely rare and I'm ok with that. Quote Link to comment
Opawesome Posted May 26, 2021 Author Share Posted May 26, 2021 If anyone is interested, below is a link to the script I wrote and which performs a backup of LUKS headers: Quote Link to comment
HenryL Posted June 2, 2021 Share Posted June 2, 2021 On 1/27/2021 at 7:58 AM, IamSpartacus said: To picky back off of this, you can also autostart your encrypted array without having the key stored on your USB. I edited my go file to auto start my array with the key on a network device connected to my network across a site to site VPN connection that is offsite. There are other options as well such as what's shown in this video. Sorry if this question has already been asked, but I plan on putting mine on a USB key that is behind a keystone wall jack. I'm making the assumption that a thief will not be taking my wall plates apart to search for a USB key. I haven't set this up yet, but plan on resetting my server with encryption. I'm a novice user, but I'm not seeing any reason why this wouldn't work for others. Quote Link to comment
JonathanM Posted June 2, 2021 Share Posted June 2, 2021 7 minutes ago, HenryL said: I plan on putting mine on a USB key that is behind a keystone wall jack. Links to parts you plan to use? I'm curious how you are planning to accomplish that. Keystone AF / AF with AM / AM cable connected to the server? Quote Link to comment
HenryL Posted June 7, 2021 Share Posted June 7, 2021 (edited) On 6/1/2021 at 7:08 PM, jonathanm said: Links to parts you plan to use? I'm curious how you are planning to accomplish that. Keystone AF / AF with AM / AM cable connected to the server? USB Keystone. I believe I have enough room in the wall, if not, I'll use a small USB jumper cable. I only plan to do this with the decryption key if possible, otherwise I put the whole thing inside wall. (I included the names instead of links so you can choose your own vender. Amazon is faster, but eBay is cheaper, especially when buying in bulk.) USB 3.0 Keystone SAMSUNG MUF-32AB/AM FIT Plus 32GB Edited June 7, 2021 by HenryL Image was too big / Forgot to include links Quote Link to comment
JonathanM Posted June 7, 2021 Share Posted June 7, 2021 1 hour ago, HenryL said: USB Keystone. I believe I have enough room in the wall, if not, I'll use a small USB jumper cable. How are you connecting the keystone to the server? Quote Link to comment
HenryL Posted June 14, 2021 Share Posted June 14, 2021 (edited) USB cable. Sorry I wasn't clear earlier. Edited June 14, 2021 by HenryL spelling Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.