Jump to content

How can one securely autostart an encrypted unRAID array


Recommended Posts

Hey people, 

I am a newbie, setting up the UNRAID from scratch. I wanted to encrypt the Arrays for an extra level of security. Now I saw some video for an older version of Unraid to use a FTP Server to get the keyfile and automatically start the array. 

I am referring to this one:

 

 

I tried that, found out it didn't work, did some research and seems that with the latest version of UNRAID this way does not work anymore, due to some changes. I saw several posts with people wondering what to do. Now my question is, if someone has a manual how to do it? FTP Server is running.

 

In the manual to UNRAID I saw that it is not necessarily recommended to use an encryption. Why ist that? 

 

I would appreciate any help, thanks in advance!

 

 

 

 

Edited by Milvus
Link to comment
57 minutes ago, Milvus said:

In the manual to UNRAID I saw that it is not necessarily recommended to use an encryption. Why ist that?

The problem with using encryption is that if you end up with file system level corruption then encryption can compromise recovery processes so it then becomes critical that you have a good (and tested) backup strategy in place.

Link to comment
On 4/18/2024 at 10:00 PM, itimpi said:

The problem with using encryption is that if you end up with file system level corruption then encryption can compromise recovery processes so it then becomes critical that you have a good (and tested) backup strategy in place.

thank you for your reply! but what exactly does it mean? Also read that in the manual, but don't really get it. Is there a further / deeper explanation possible or a source where to learn more about it? So it is not adviced to do that extra level of security? Sorry for all these questions, but I would really like to set the Unraid up and also migrate the whole ioBroker onto it.

 

Thank you in advance!

Link to comment
24 minutes ago, Milvus said:

what exactly does it mean?

It means recovery from corruption can be impossible with encryption in the way.

 

Corruption can happen with hardware errors, like bad RAM, cables, or power issues. The problem is, you don't know it's going to happen until it does, and RAID (of any sort, not just Unraid) can't always compensate, meaning unless you have complete backups, you will lose data.

 

Unraid or any RAID can't help with file deletion or overwriting good data with bad, so backups are always needed, but with encryption, the recovery options are even more limited, so backups are even more necessary.

 

If the data is important enough to encrypt, it's important enough to keep multiple copies in multiple locations.

Link to comment

Ah, thank you very much for clarifying.

Actually, the Unraid shall serve as a NAS and SmartHome-Center, so the data on it would already be the backup, anyway I want to store data also somewhere else additionally. 
So in that case, from a professional point of view, would you not even advise to use encryption?

For that, the question then still remains, how to get along with a passkey on a ftp server.

 

Sorry again for maybe easy questions, but am a noob, trying to achieve some good outcome.

Thank you all in advance!

Link to comment

"secure" and "automatic" are mutually exclusive unless you don't care about wide swaths of "secure" to the point that you shouldn't bother. 

 

Disk encryption protects against someone having physical access to your disks.  In order to automatically decrypt the disks, the encryption key would need to be on your USB, or somewhere your USB can access. Anyone who has access to your disks also has access to your USB. Therefore the encryption is providing little to no value. 

 

There are some scripts that can improve this situation, by downloading the key at boot, but that means the key is sitting somewhere to be downloaded from.  Depending on where that location is, and what kind of threat you are protecting against it may reduce effective security down to zeroish. 

 

 

Link to comment

Thanks for your reply! That was exactly the thought: someone grabs the disks and takes them with him. So leaving the key on the USB would really make no sense. That is why I was interested in the way of saving it on a FTP Server and get it at boot. But I didn't find a description, which is up to date to the recent Unraid version. 

Link to comment
On 4/23/2024 at 3:09 PM, Milvus said:

Thanks for your reply! That was exactly the thought: someone grabs the disks and takes them with him. So leaving the key on the USB would really make no sense. That is why I was interested in the way of saving it on a FTP Server and get it at boot. But I didn't find a description, which is up to date to the recent Unraid version. 

 

The instructions to get to the FTP including hostname, username, and password, would need to be on the USB for that to work. So anyone who has your USB can also go do those things, unless there are firewalls in the way of the FTP

 

Depending on who you are worried about, where that FTP is, how it itself is protected, that again may reduce effective security to zero. 

 

 

Link to comment
Posted (edited)

It depends on what threat model you are worried about.  

 

A random robber probably isn't looking for your unraid server. And they also probably don't care about your media or whatever else you have on it either.

 

If you are a prolific pirate, hacker,  or some other kind of criminal worth busting, the authorities are going to take your drives, and probably also your router. 

 

In the US at least, in 99% of circumstances you cannot be forced to turn over a password that is in your head.  You CAN be forced to turn over any hardware. And destroying or deleting from your hardware if they for some reason left it behind, is itself a crime. 

 

Similarly in a lawsuit they can subpoena all the hardware, and having  the key on your router suddenly be gone will put you in contempt and possibly lose whatever case you have. 

 

Your unraid box is still accessible via vpn or whatever even if the array is stopped. My machine reboots once every few months. 99% of the time I rebooted it on purpose for an upgrade or because I'm tinkering with it for some reason.  Unexpected reboots are like 1/x a year, for a power outage or something.  Having the array be down until I can remote in and type in the password once a year, is well worth the additional security. 

Edited by Terebi
  • Like 1
Link to comment
  • 2 weeks later...

I have stop and go scripts that upload the keyfile contents to a website that expires the upload after an hour. Then the go file downloads from there. I can also manually enter the passphrase. This means common reboots for software updates or to quickly add a drive I don't have to do anything. But if the whole server is stolen they'd have to rapidly reboot it to get it to unlock. I think this meets the threat model of "my server got stolen" pretty well.

Link to comment
On 5/11/2024 at 9:39 PM, scorcho99 said:

I have stop and go scripts that upload the keyfile contents to a website that expires the upload after an hour. Then the go file downloads from there. I can also manually enter the passphrase. This means common reboots for software updates or to quickly add a drive I don't have to do anything. But if the whole server is stolen they'd have to rapidly reboot it to get it to unlock. I think this meets the threat model of "my server got stolen" pretty well.

Im not sure I understand what you are saying.  When you stop the array, the file gets uploaded? Then something else (not in unraid)  deletes that file after an hour?  and if the file is still there at start, it autostarts?

Link to comment
40 minutes ago, Terebi said:

Im not sure I understand what you are saying.  When you stop the array, the file gets uploaded? Then something else (not in unraid)  deletes that file after an hour?  and if the file is still there at start, it autostarts?

Yes, essentially. The keyfile is uploaded to on online service with curl that temporarily holds files which expire after an hour. When the array starts it attempts to pull down the uploaded file first and use it. The script is based on a separate USB flash drive for the keyfile script I found on here somewhere. The temporary online service was my own addition, basically removing the need to even plug the special unlock keyfile flash drive in when the most common reboot cases occur.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...