Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Encryption of the USB Flash Drive

Featured Replies

Hi guys,

 

is it possible to encrypt the flash drive? I would like to do it by using dropbear, which let u type the passphrase via a small ssh server preboot.

3 hours ago, 1020ps said:

Hi guys,

 

is it possible to encrypt the flash drive? I would like to do it by using dropbear, which let u type the passphrase via a small ssh server preboot.

Not that I know of as the flash drive has to be readable at the BIOS level for booting.

  • Author

On Ubuntu machines there is a separate boot partition which is unencrypted and is holding the initramfs which is having the dropbear application to unlock the luks partition.

What is the operating system under unraid?

 

What Data is stored on the usb? Can someone with physical access, access everything without knowing the password? For an example where are the encryption keys saved for the encrypted disks?

Edited by 1020ps

The flash drive IS the boot partition as far as Unraid is concerned.

 

Unraid has a cut down version of Slackware as the underlying OS.

 

The flash drive holds all your basic server configuration information in the 'config' folder on the flash drive.    However this will NOT hold encryption keys as that information is in principle entered via the GUI during the initial startup phase and then only held in RAM.   If you want to automate starting encrypted arrays without involving the GUI then you will have stored the keys somewhere else and put in place a process to read the keys from that location as part of the boot process.  In that case the keys are stored wherever you have specified (ideally off the Unraid server) so that is where you need to secure them.

  • Author

so in fact it's safe with encrypted disks and typing the key manually on every boot? Even with physical access to the machine no one can break in?

Edited by 1020ps

30 minutes ago, 1020ps said:

Even with physical access to the machine no one can break in?

If by 'break-in' you mean read the contents of the drives then this is true as long as the pass phrase has not already been input and the disks are currently mounted so their contents are now visible.  

  • Author

And all the configuration which is not necessary for booting is stored on the (encrypted) disks only? Where is for an example the password to login stored? If that is stored on the usb flash drive, an attacker could manipulate it on the flash drive to login with a new password. If it's stored on the (encrypted) disks, how can i login before the disks are unlocked for which to do i would expect that i need to login first?

Edited by 1020ps

33 minutes ago, 1020ps said:

And all the configuration which is not necessary for booting is stored on the (encrypted) disks only?

 

All this information is stored in the 'config' folder on the flash drive.   If someone has physical access to the server then you should assume they can log in and see all the information that is NOT on the encrypted disks.  You also do not want to expose the Unraid GUI to the internet except via a secure mechanism such as a VPN for the same reason.

  • Author

So the only bullet proof safe way would be having a luks encrypted ubuntu machine starting from usb and asking for the passphrase via ssh by using dropbear. 

 

Unraid will than be running in a virtual machine with nested virtualization enabled. All the disks will be passedthrough to the vm. But what about the flash drive for the license then? I read something that it can't be a virtual volume. 

 

Can the config be on a separate (virtual) device and a hardware flash drive being used only for the license? And i will passthrough that to the vm also.

 

Will it work that way?

Edited by 1020ps

You can't use a virtual device for your flash drive... it won't have a valid GUID, so you won't be able to license Unraid. The config is stored on the same flash drive, there's no way to change that.

 

What threat are you trying to mitigate?

  • Author

I wanna host the machine in a datacenter. I wanna make sure nobody, even with physical access can read the config or the content.

  • Author
1 hour ago, EDACerton said:

it won't have a valid GUID, so you won't be able to license Unraid.

so then i would have to fully emulate a flash drive that it looks like a real one and having a guid.

 

 

It looks like this guy here managed to have the usb flash drive only for licensing and booting from different disk:

 

Edited by 1020ps

1 hour ago, 1020ps said:

so then i would have to fully emulate a flash drive that it looks like a real one and having a guid.

 

 

It looks like this guy here managed to have the usb flash drive only for licensing and booting from different disk:

 

 

I dont actually do that any more.  ESXi 7 allows you to pass through individual USB devices. So, my unraid flash drive is passed through to the VM and it boots directly now.

 

However, the VMDK method worked for many years, but i would always forget to update it when I updated the flash drive.

 

No matter what, you cannot get away from having a flash drive tied to a license.  There are plenty of motherboards with on-board USB that would be fully within the server itself.

 

  • Author

Do u have a guide how to separate the boot volume from the flash drive so the flash drive will not have any data on it, just being present for the license?

1 hour ago, 1020ps said:

Do u have a guide how to separate the boot volume from the flash drive so the flash drive will not have any data on it, just being present for the license?

 

That is not possible.    The configuration information is always on the same flash drive as the licence file.

 

The Unraid boot process is described here in the online documentation and you will see in the later stage of the boot process the licence file and configuration information are read from the same flash drive.

 

  • Author
54 minutes ago, itimpi said:

That is not possible.    The configuration information is always on the same flash drive as the licence file.

So u r saying, the person who did it already, is lying? In the quoted other thread another user literally said, he was able to do it. 

Just now, 1020ps said:

So u r saying, the person who did it already, is lying? In the quoted other thread another user literally said, he was able to do it. 

He said he started the booted off a .vmdk - not that he had the licence AND configuration file on different locations.     It is quite easy to set the first stage of the boot process to run off something else, but that does not stop the flash drive and configuration folder needing to be on the same flash drive.

  • Author

It's sad, that security is not a priority in the development. I will now try to run unraid in a vm and emulate a flash drive including guid on a full encrypted vm host. I will share once it's done.

Edited by 1020ps

18 hours ago, StevenD said:

There are plenty of motherboards with on-board USB that would be fully within the server itself.

 

Another option is to use a 9-pin USB adapter - It will allow the Flash drive to plug directly into the mobo via an USB header.

 

20 hours ago, 1020ps said:

I wanna host the machine in a datacenter. I wanna make sure nobody, even with physical access can read the config or the content.

 

You might use tamper proof screws to secure access to server's components.

 

Granted it's not that much of a deterrent to someone who's real determined, especially when equipped even with the simplest of tools like a can opener.

But if that sounds like a real possibility then maybe you'd need to rethink the overall security situation of your server's location.

Edited by Lolight

  • Author

Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. 

2 hours ago, 1020ps said:

Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. 

unRAID is primarily targeted as a home NAS appliance OS. Off premise usage is not really the target audience.

On 7/24/2023 at 11:38 AM, 1020ps said:

Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. 

Wonder if something like this would be an option:

 

https://www.amazon.com/dp/B07GL3FNCY?th=1

 

1 hour ago, Lolight said:

Wonder if something like this would be an option:

 

https://www.amazon.com/dp/B07GL3FNCY?th=1

Then you have to walk to the datacenter to unlock it everytime you reboot :D

  • Author

Unfortunately they don't allow to bring ur own hardware anyway. 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.