Jump to content

[SOLVED] New Config does not reset encryption key


Recommended Posts

Hi all,

 

I just finished setting up my first unRAID server, or at least I thought I did.  

 

Before my final setup I took a few days to play with a test configuration with fewer (smaller) drives on my final hardware and some play data to make sure my hardware would all work as desired.  I tested a bunch of things including array encryption with a dummy keyfile.  Then I shut down, put in my shiny new 8 TB drives, booted up, used the "New Config" tool to start over, and started my new configuration with my SSD cache and my new strong keyfile.  Then, when I got to the step in my setup procedure, "Full power cycle to make sure everything works", it didn't.

 

I couldn't decrypt my array.  I had the fancy new keyfile that I used when creating the new Array but no matter how many times I tried, it didn't work.  On a whim, I tried the dummy key file and voila, it worked.  

 

I'm guessing that what's going on here is that I didn't do the New Config before the shutdown and I maybe unlocked the old array while messing around with setting up the new one which led to the LUKS master key not being reset by New Config.  I would think that creating the new array with a different keyfile should either raise an error and fail loudly or add a new key to the LUKS key list (wildly insecure without if the user is unaware) so I think this is either a bug (silent failure/wildly insecure default behavior) or I just have no idea what's going on (a definite possibility).  

 

It also looks like the drives are still associated with a particular mount point after running New Config, I can't completely tell how to format them in the GUI without adding them to an array so maybe this is related?

 

If this is a bug fixing it is definitely important, but the purpose of this post is to get me back on track with my server build.  So how do I reset the encryption keys?  I haven't paid for the full version yet so if I can just wipe and re-make the USB drive with the trial that's fine with me (do I need to copy the trial key first?) but I'd prefer not to invalidate the current USB key if possible.  I'm also comfortable in the terminal and am happy to execute commands for a fix (though I'm really a Debian/Ubuntu/RHEL guy and not a Slackware person) but as this is a matter of security, it's essential that this be a clean fix, not a workaround that may add an attack surface in some way.  

 

Thoughts?  

 

 

P.S. 

My money is on formatting the USB drive or new USB drive but I'm interested to hear and learn from the community. 

Link to comment
10 hours ago, JorgeB said:

New config will never reset encryption key, that is stored on the devices, you need to re-format them.

 

Not strictly relevant to fixing my issue, but shouldn't UnRAID have prevented me from making an array with a new key if it wasn't going to work?  

 

Is there a command I can run to quickly test if a disk will take a new key so that I can "fail fast"?

Link to comment

Ok, I would not say that my tests were definitive, but I am confident enough to say that this was user error (my fault).  

 

The ultimate issue sprang from how I made my key.  I tried to concatenate a few binary files to make a file key and, for whatever reason, the key that actually registered was only the first of the concatenated files (I made sure to test with a combined keyfile size of less than 8 MB).  

 

While I don't have a complete, in-depth understanding of what happened, I think I have enough information for me to keep going with my build.  

  • Like 1
Link to comment
  • JokesOnYou77 changed the title to [SOLVED] New Config does not reset encryption key

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...