Encryption of the USB Flash Drive

1020ps

By 1020ps
in Security

Recommended Posts

1020ps Noob

1020ps

Posted
  • Author
Posted (edited)

On Ubuntu machines there is a separate boot partition which is unencrypted and is holding the initramfs which is having the dropbear application to unlock the luks partition.

What is the operating system under unraid?

 

What Data is stored on the usb? Can someone with physical access, access everything without knowing the password? For an example where are the encryption keys saved for the encrypted disks?

Edited by 1020ps
Link to comment
itimpi Grand Master

itimpi

Posted
Posted

The flash drive IS the boot partition as far as Unraid is concerned.

 

Unraid has a cut down version of Slackware as the underlying OS.

 

The flash drive holds all your basic server configuration information in the 'config' folder on the flash drive.    However this will NOT hold encryption keys as that information is in principle entered via the GUI during the initial startup phase and then only held in RAM.   If you want to automate starting encrypted arrays without involving the GUI then you will have stored the keys somewhere else and put in place a process to read the keys from that location as part of the boot process.  In that case the keys are stored wherever you have specified (ideally off the Unraid server) so that is where you need to secure them.

  • Like 1
Link to comment
itimpi Grand Master

itimpi

Posted
Posted
30 minutes ago, 1020ps said:

Even with physical access to the machine no one can break in?

If by 'break-in' you mean read the contents of the drives then this is true as long as the pass phrase has not already been input and the disks are currently mounted so their contents are now visible.  

Link to comment
1020ps Noob

1020ps

Posted
  • Author
Posted (edited)

And all the configuration which is not necessary for booting is stored on the (encrypted) disks only? Where is for an example the password to login stored? If that is stored on the usb flash drive, an attacker could manipulate it on the flash drive to login with a new password. If it's stored on the (encrypted) disks, how can i login before the disks are unlocked for which to do i would expect that i need to login first?

Edited by 1020ps
Link to comment
itimpi Grand Master

itimpi

Posted
Posted
33 minutes ago, 1020ps said:

And all the configuration which is not necessary for booting is stored on the (encrypted) disks only?

 

All this information is stored in the 'config' folder on the flash drive.   If someone has physical access to the server then you should assume they can log in and see all the information that is NOT on the encrypted disks.  You also do not want to expose the Unraid GUI to the internet except via a secure mechanism such as a VPN for the same reason.

Link to comment
1020ps Noob

1020ps

Posted
  • Author
Posted (edited)

So the only bullet proof safe way would be having a luks encrypted ubuntu machine starting from usb and asking for the passphrase via ssh by using dropbear. 

 

Unraid will than be running in a virtual machine with nested virtualization enabled. All the disks will be passedthrough to the vm. But what about the flash drive for the license then? I read something that it can't be a virtual volume. 

 

Can the config be on a separate (virtual) device and a hardware flash drive being used only for the license? And i will passthrough that to the vm also.

 

Will it work that way?

Edited by 1020ps
Link to comment
1020ps Noob

1020ps

Posted
  • Author
Posted (edited)
1 hour ago, EDACerton said:

it won't have a valid GUID, so you won't be able to license Unraid.

so then i would have to fully emulate a flash drive that it looks like a real one and having a guid.

 

 

It looks like this guy here managed to have the usb flash drive only for licensing and booting from different disk:

 

Edited by 1020ps
Link to comment
StevenD Community Regular

StevenD

Posted
Posted
1 hour ago, 1020ps said:

so then i would have to fully emulate a flash drive that it looks like a real one and having a guid.

 

 

It looks like this guy here managed to have the usb flash drive only for licensing and booting from different disk:

 

 

I dont actually do that any more.  ESXi 7 allows you to pass through individual USB devices. So, my unraid flash drive is passed through to the VM and it boots directly now.

 

However, the VMDK method worked for many years, but i would always forget to update it when I updated the flash drive.

 

No matter what, you cannot get away from having a flash drive tied to a license.  There are plenty of motherboards with on-board USB that would be fully within the server itself.

 

Link to comment
itimpi Grand Master

itimpi

Posted
Posted
1 hour ago, 1020ps said:

Do u have a guide how to separate the boot volume from the flash drive so the flash drive will not have any data on it, just being present for the license?

 

That is not possible.    The configuration information is always on the same flash drive as the licence file.

 

The Unraid boot process is described here in the online documentation and you will see in the later stage of the boot process the licence file and configuration information are read from the same flash drive.

 

Link to comment
1020ps Noob

1020ps

Posted
  • Author
Posted
54 minutes ago, itimpi said:

That is not possible.    The configuration information is always on the same flash drive as the licence file.

So u r saying, the person who did it already, is lying? In the quoted other thread another user literally said, he was able to do it. 

Link to comment
itimpi Grand Master

itimpi

Posted
Posted
Just now, 1020ps said:

So u r saying, the person who did it already, is lying? In the quoted other thread another user literally said, he was able to do it. 

He said he started the booted off a .vmdk - not that he had the licence AND configuration file on different locations.     It is quite easy to set the first stage of the boot process to run off something else, but that does not stop the flash drive and configuration folder needing to be on the same flash drive.

Link to comment
Lolight Enthusiast

Lolight

Posted
Posted (edited)
18 hours ago, StevenD said:

There are plenty of motherboards with on-board USB that would be fully within the server itself.

 

Another option is to use a 9-pin USB adapter - It will allow the Flash drive to plug directly into the mobo via an USB header.

 

20 hours ago, 1020ps said:

I wanna host the machine in a datacenter. I wanna make sure nobody, even with physical access can read the config or the content.

 

You might use tamper proof screws to secure access to server's components.

 

Granted it's not that much of a deterrent to someone who's real determined, especially when equipped even with the simplest of tools like a can opener.

But if that sounds like a real possibility then maybe you'd need to rethink the overall security situation of your server's location.

Edited by Lolight
Link to comment
primeval_god Collaborator

primeval_god

Posted
Posted
2 hours ago, 1020ps said:

Well if u wanna have proper bandwith, the only option is a datacenter in my eyes. So as always when u run something not on premises it has to be safe of local and remote access. 

unRAID is primarily targeted as a home NAS appliance OS. Off premise usage is not really the target audience.

  • Upvote 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing