April 21, 20215 yr Hi all, I just finished setting up my first unRAID server, or at least I thought I did. Before my final setup I took a few days to play with a test configuration with fewer (smaller) drives on my final hardware and some play data to make sure my hardware would all work as desired. I tested a bunch of things including array encryption with a dummy keyfile. Then I shut down, put in my shiny new 8 TB drives, booted up, used the "New Config" tool to start over, and started my new configuration with my SSD cache and my new strong keyfile. Then, when I got to the step in my setup procedure, "Full power cycle to make sure everything works", it didn't. I couldn't decrypt my array. I had the fancy new keyfile that I used when creating the new Array but no matter how many times I tried, it didn't work. On a whim, I tried the dummy key file and voila, it worked. I'm guessing that what's going on here is that I didn't do the New Config before the shutdown and I maybe unlocked the old array while messing around with setting up the new one which led to the LUKS master key not being reset by New Config. I would think that creating the new array with a different keyfile should either raise an error and fail loudly or add a new key to the LUKS key list (wildly insecure without if the user is unaware) so I think this is either a bug (silent failure/wildly insecure default behavior) or I just have no idea what's going on (a definite possibility). It also looks like the drives are still associated with a particular mount point after running New Config, I can't completely tell how to format them in the GUI without adding them to an array so maybe this is related? If this is a bug fixing it is definitely important, but the purpose of this post is to get me back on track with my server build. So how do I reset the encryption keys? I haven't paid for the full version yet so if I can just wipe and re-make the USB drive with the trial that's fine with me (do I need to copy the trial key first?) but I'd prefer not to invalidate the current USB key if possible. I'm also comfortable in the terminal and am happy to execute commands for a fix (though I'm really a Debian/Ubuntu/RHEL guy and not a Slackware person) but as this is a matter of security, it's essential that this be a clean fix, not a workaround that may add an attack surface in some way. Thoughts? P.S. My money is on formatting the USB drive or new USB drive but I'm interested to hear and learn from the community.
April 21, 20215 yr Community Expert New config will never reset encryption key, that is stored on the devices, you need to re-format them.
April 21, 20215 yr Author I erased and formatted when adding to a new array in the GUI. And the new disks were both brand new and pre-cleared. I can try putting them on a different machine and doing a "quick erase" with /dev/zero and dd and then come back to the unRaid box.
April 21, 20215 yr Author 10 hours ago, JorgeB said: New config will never reset encryption key, that is stored on the devices, you need to re-format them. Not strictly relevant to fixing my issue, but shouldn't UnRAID have prevented me from making an array with a new key if it wasn't going to work? Is there a command I can run to quickly test if a disk will take a new key so that I can "fail fast"?
April 21, 20215 yr Community Expert Keys are saved on the disks, new config won't reset that since it doesn't touch the disks, they need to be re-formatted.
April 23, 20215 yr Author I tried a bunch of things that didn't appear to fix the problem (wipefs, write the first 4 MB with zeros). That made me more sure it's something I'm doing wrong. I'll post again when I can confirm. @JorgeB Thank you for your help and prompt replies. I appreciate it.
April 23, 20215 yr Author Ok, I would not say that my tests were definitive, but I am confident enough to say that this was user error (my fault). The ultimate issue sprang from how I made my key. I tried to concatenate a few binary files to make a file key and, for whatever reason, the key that actually registered was only the first of the concatenated files (I made sure to test with a combined keyfile size of less than 8 MB). While I don't have a complete, in-depth understanding of what happened, I think I have enough information for me to keep going with my build.
Archived
This topic is now archived and is closed to further replies.