JokesOnYou77 Posted April 21, 2021 Share Posted April 21, 2021 Hi all, I just finished setting up my first unRAID server, or at least I thought I did. Before my final setup I took a few days to play with a test configuration with fewer (smaller) drives on my final hardware and some play data to make sure my hardware would all work as desired. I tested a bunch of things including array encryption with a dummy keyfile. Then I shut down, put in my shiny new 8 TB drives, booted up, used the "New Config" tool to start over, and started my new configuration with my SSD cache and my new strong keyfile. Then, when I got to the step in my setup procedure, "Full power cycle to make sure everything works", it didn't. I couldn't decrypt my array. I had the fancy new keyfile that I used when creating the new Array but no matter how many times I tried, it didn't work. On a whim, I tried the dummy key file and voila, it worked. I'm guessing that what's going on here is that I didn't do the New Config before the shutdown and I maybe unlocked the old array while messing around with setting up the new one which led to the LUKS master key not being reset by New Config. I would think that creating the new array with a different keyfile should either raise an error and fail loudly or add a new key to the LUKS key list (wildly insecure without if the user is unaware) so I think this is either a bug (silent failure/wildly insecure default behavior) or I just have no idea what's going on (a definite possibility). It also looks like the drives are still associated with a particular mount point after running New Config, I can't completely tell how to format them in the GUI without adding them to an array so maybe this is related? If this is a bug fixing it is definitely important, but the purpose of this post is to get me back on track with my server build. So how do I reset the encryption keys? I haven't paid for the full version yet so if I can just wipe and re-make the USB drive with the trial that's fine with me (do I need to copy the trial key first?) but I'd prefer not to invalidate the current USB key if possible. I'm also comfortable in the terminal and am happy to execute commands for a fix (though I'm really a Debian/Ubuntu/RHEL guy and not a Slackware person) but as this is a matter of security, it's essential that this be a clean fix, not a workaround that may add an attack surface in some way. Thoughts? P.S. My money is on formatting the USB drive or new USB drive but I'm interested to hear and learn from the community. Quote Link to comment
JorgeB Posted April 21, 2021 Share Posted April 21, 2021 New config will never reset encryption key, that is stored on the devices, you need to re-format them. Quote Link to comment
JokesOnYou77 Posted April 21, 2021 Author Share Posted April 21, 2021 I erased and formatted when adding to a new array in the GUI. And the new disks were both brand new and pre-cleared. I can try putting them on a different machine and doing a "quick erase" with /dev/zero and dd and then come back to the unRaid box. Quote Link to comment
JokesOnYou77 Posted April 21, 2021 Author Share Posted April 21, 2021 10 hours ago, JorgeB said: New config will never reset encryption key, that is stored on the devices, you need to re-format them. Not strictly relevant to fixing my issue, but shouldn't UnRAID have prevented me from making an array with a new key if it wasn't going to work? Is there a command I can run to quickly test if a disk will take a new key so that I can "fail fast"? Quote Link to comment
JorgeB Posted April 21, 2021 Share Posted April 21, 2021 Keys are saved on the disks, new config won't reset that since it doesn't touch the disks, they need to be re-formatted. Quote Link to comment
JokesOnYou77 Posted April 23, 2021 Author Share Posted April 23, 2021 I tried a bunch of things that didn't appear to fix the problem (wipefs, write the first 4 MB with zeros). That made me more sure it's something I'm doing wrong. I'll post again when I can confirm. @JorgeB Thank you for your help and prompt replies. I appreciate it. Quote Link to comment
JokesOnYou77 Posted April 23, 2021 Author Share Posted April 23, 2021 Ok, I would not say that my tests were definitive, but I am confident enough to say that this was user error (my fault). The ultimate issue sprang from how I made my key. I tried to concatenate a few binary files to make a file key and, for whatever reason, the key that actually registered was only the first of the concatenated files (I made sure to test with a combined keyfile size of less than 8 MB). While I don't have a complete, in-depth understanding of what happened, I think I have enough information for me to keep going with my build. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.