1020ps Posted July 22, 2023 Share Posted July 22, 2023 Hi guys, is it possible to encrypt the flash drive? I would like to do it by using dropbear, which let u type the passphrase via a small ssh server preboot. Quote Link to comment
itimpi Posted July 22, 2023 Share Posted July 22, 2023 3 hours ago, 1020ps said: Hi guys, is it possible to encrypt the flash drive? I would like to do it by using dropbear, which let u type the passphrase via a small ssh server preboot. Not that I know of as the flash drive has to be readable at the BIOS level for booting. Quote Link to comment
1020ps Posted July 22, 2023 Author Share Posted July 22, 2023 (edited) On Ubuntu machines there is a separate boot partition which is unencrypted and is holding the initramfs which is having the dropbear application to unlock the luks partition. What is the operating system under unraid? What Data is stored on the usb? Can someone with physical access, access everything without knowing the password? For an example where are the encryption keys saved for the encrypted disks? Edited July 22, 2023 by 1020ps Quote Link to comment
itimpi Posted July 22, 2023 Share Posted July 22, 2023 The flash drive IS the boot partition as far as Unraid is concerned. Unraid has a cut down version of Slackware as the underlying OS. The flash drive holds all your basic server configuration information in the 'config' folder on the flash drive. However this will NOT hold encryption keys as that information is in principle entered via the GUI during the initial startup phase and then only held in RAM. If you want to automate starting encrypted arrays without involving the GUI then you will have stored the keys somewhere else and put in place a process to read the keys from that location as part of the boot process. In that case the keys are stored wherever you have specified (ideally off the Unraid server) so that is where you need to secure them. 1 Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 (edited) so in fact it's safe with encrypted disks and typing the key manually on every boot? Even with physical access to the machine no one can break in? Edited July 23, 2023 by 1020ps Quote Link to comment
itimpi Posted July 23, 2023 Share Posted July 23, 2023 30 minutes ago, 1020ps said: Even with physical access to the machine no one can break in? If by 'break-in' you mean read the contents of the drives then this is true as long as the pass phrase has not already been input and the disks are currently mounted so their contents are now visible. Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 (edited) And all the configuration which is not necessary for booting is stored on the (encrypted) disks only? Where is for an example the password to login stored? If that is stored on the usb flash drive, an attacker could manipulate it on the flash drive to login with a new password. If it's stored on the (encrypted) disks, how can i login before the disks are unlocked for which to do i would expect that i need to login first? Edited July 23, 2023 by 1020ps Quote Link to comment
itimpi Posted July 23, 2023 Share Posted July 23, 2023 33 minutes ago, 1020ps said: And all the configuration which is not necessary for booting is stored on the (encrypted) disks only? All this information is stored in the 'config' folder on the flash drive. If someone has physical access to the server then you should assume they can log in and see all the information that is NOT on the encrypted disks. You also do not want to expose the Unraid GUI to the internet except via a secure mechanism such as a VPN for the same reason. Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 (edited) So the only bullet proof safe way would be having a luks encrypted ubuntu machine starting from usb and asking for the passphrase via ssh by using dropbear. Unraid will than be running in a virtual machine with nested virtualization enabled. All the disks will be passedthrough to the vm. But what about the flash drive for the license then? I read something that it can't be a virtual volume. Can the config be on a separate (virtual) device and a hardware flash drive being used only for the license? And i will passthrough that to the vm also. Will it work that way? Edited July 23, 2023 by 1020ps Quote Link to comment
EDACerton Posted July 23, 2023 Share Posted July 23, 2023 You can't use a virtual device for your flash drive... it won't have a valid GUID, so you won't be able to license Unraid. The config is stored on the same flash drive, there's no way to change that. What threat are you trying to mitigate? Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 I wanna host the machine in a datacenter. I wanna make sure nobody, even with physical access can read the config or the content. Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 (edited) 1 hour ago, EDACerton said: it won't have a valid GUID, so you won't be able to license Unraid. so then i would have to fully emulate a flash drive that it looks like a real one and having a guid. It looks like this guy here managed to have the usb flash drive only for licensing and booting from different disk: Edited July 23, 2023 by 1020ps Quote Link to comment
StevenD Posted July 23, 2023 Share Posted July 23, 2023 1 hour ago, 1020ps said: so then i would have to fully emulate a flash drive that it looks like a real one and having a guid. It looks like this guy here managed to have the usb flash drive only for licensing and booting from different disk: I dont actually do that any more. ESXi 7 allows you to pass through individual USB devices. So, my unraid flash drive is passed through to the VM and it boots directly now. However, the VMDK method worked for many years, but i would always forget to update it when I updated the flash drive. No matter what, you cannot get away from having a flash drive tied to a license. There are plenty of motherboards with on-board USB that would be fully within the server itself. Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 Do u have a guide how to separate the boot volume from the flash drive so the flash drive will not have any data on it, just being present for the license? Quote Link to comment
itimpi Posted July 23, 2023 Share Posted July 23, 2023 1 hour ago, 1020ps said: Do u have a guide how to separate the boot volume from the flash drive so the flash drive will not have any data on it, just being present for the license? That is not possible. The configuration information is always on the same flash drive as the licence file. The Unraid boot process is described here in the online documentation and you will see in the later stage of the boot process the licence file and configuration information are read from the same flash drive. Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 54 minutes ago, itimpi said: That is not possible. The configuration information is always on the same flash drive as the licence file. So u r saying, the person who did it already, is lying? In the quoted other thread another user literally said, he was able to do it. Quote Link to comment
itimpi Posted July 23, 2023 Share Posted July 23, 2023 Just now, 1020ps said: So u r saying, the person who did it already, is lying? In the quoted other thread another user literally said, he was able to do it. He said he started the booted off a .vmdk - not that he had the licence AND configuration file on different locations. It is quite easy to set the first stage of the boot process to run off something else, but that does not stop the flash drive and configuration folder needing to be on the same flash drive. Quote Link to comment
1020ps Posted July 23, 2023 Author Share Posted July 23, 2023 (edited) It's sad, that security is not a priority in the development. I will now try to run unraid in a vm and emulate a flash drive including guid on a full encrypted vm host. I will share once it's done. Edited July 23, 2023 by 1020ps Quote Link to comment
Lolight Posted July 24, 2023 Share Posted July 24, 2023 (edited) 18 hours ago, StevenD said: There are plenty of motherboards with on-board USB that would be fully within the server itself. Another option is to use a 9-pin USB adapter - It will allow the Flash drive to plug directly into the mobo via an USB header. 20 hours ago, 1020ps said: I wanna host the machine in a datacenter. I wanna make sure nobody, even with physical access can read the config or the content. You might use tamper proof screws to secure access to server's components. Granted it's not that much of a deterrent to someone who's real determined, especially when equipped even with the simplest of tools like a can opener. But if that sounds like a real possibility then maybe you'd need to rethink the overall security situation of your server's location. Edited July 24, 2023 by Lolight Quote Link to comment
1020ps Posted July 24, 2023 Author Share Posted July 24, 2023 Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. Quote Link to comment
primeval_god Posted July 24, 2023 Share Posted July 24, 2023 2 hours ago, 1020ps said: Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. unRAID is primarily targeted as a home NAS appliance OS. Off premise usage is not really the target audience. 2 Quote Link to comment
Lolight Posted July 31, 2023 Share Posted July 31, 2023 On 7/24/2023 at 11:38 AM, 1020ps said: Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. Wonder if something like this would be an option: https://www.amazon.com/dp/B07GL3FNCY?th=1 Quote Link to comment
Kilrah Posted July 31, 2023 Share Posted July 31, 2023 1 hour ago, Lolight said: Wonder if something like this would be an option: https://www.amazon.com/dp/B07GL3FNCY?th=1 Then you have to walk to the datacenter to unlock it everytime you reboot 1 Quote Link to comment
1020ps Posted July 31, 2023 Author Share Posted July 31, 2023 Unfortunately they don't allow to bring ur own hardware anyway. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.