How can one securely autostart an encrypted unRAID array

[Milvus]

Hey people, 

I am a newbie, setting up the UNRAID from scratch. I wanted to encrypt the Arrays for an extra level of security. Now I saw some video for an older version of Unraid to use a FTP Server to get the keyfile and automatically start the array. 

I am referring to this one:

 

 

I tried that, found out it didn't work, did some research and seems that with the latest version of UNRAID this way does not work anymore, due to some changes. I saw several posts with people wondering what to do. Now my question is, if someone has a manual how to do it? FTP Server is running.

 

In the manual to UNRAID I saw that it is not necessarily recommended to use an encryption. Why ist that? 

 

I would appreciate any help, thanks in advance!

 

 

 

 

Edited April 18 by Milvus

[itimpi]

57 minutes ago, Milvus said:

In the manual to UNRAID I saw that it is not necessarily recommended to use an encryption. Why ist that?

The problem with using encryption is that if you end up with file system level corruption then encryption can compromise recovery processes so it then becomes critical that you have a good (and tested) backup strategy in place.

[Milvus]

On 4/18/2024 at 10:00 PM, itimpi said:

The problem with using encryption is that if you end up with file system level corruption then encryption can compromise recovery processes so it then becomes critical that you have a good (and tested) backup strategy in place.

thank you for your reply! but what exactly does it mean? Also read that in the manual, but don't really get it. Is there a further / deeper explanation possible or a source where to learn more about it? So it is not adviced to do that extra level of security? Sorry for all these questions, but I would really like to set the Unraid up and also migrate the whole ioBroker onto it.

 

Thank you in advance!

[JonathanM]

24 minutes ago, Milvus said:

what exactly does it mean?

It means recovery from corruption can be impossible with encryption in the way.

 

Corruption can happen with hardware errors, like bad RAM, cables, or power issues. The problem is, you don't know it's going to happen until it does, and RAID (of any sort, not just Unraid) can't always compensate, meaning unless you have complete backups, you will lose data.

 

Unraid or any RAID can't help with file deletion or overwriting good data with bad, so backups are always needed, but with encryption, the recovery options are even more limited, so backups are even more necessary.

 

If the data is important enough to encrypt, it's important enough to keep multiple copies in multiple locations.

[Milvus]

Ah, thank you very much for clarifying.

Actually, the Unraid shall serve as a NAS and SmartHome-Center, so the data on it would already be the backup, anyway I want to store data also somewhere else additionally. 
So in that case, from a professional point of view, would you not even advise to use encryption?

For that, the question then still remains, how to get along with a passkey on a ftp server.

 

Sorry again for maybe easy questions, but am a noob, trying to achieve some good outcome.

Thank you all in advance!

[Terebi]

"secure" and "automatic" are mutually exclusive unless you don't care about wide swaths of "secure" to the point that you shouldn't bother. 

 

Disk encryption protects against someone having physical access to your disks.  In order to automatically decrypt the disks, the encryption key would need to be on your USB, or somewhere your USB can access. Anyone who has access to your disks also has access to your USB. Therefore the encryption is providing little to no value. 

 

There are some scripts that can improve this situation, by downloading the key at boot, but that means the key is sitting somewhere to be downloaded from.  Depending on where that location is, and what kind of threat you are protecting against it may reduce effective security down to zeroish. 

 

 

[Milvus]

Thanks for your reply! That was exactly the thought: someone grabs the disks and takes them with him. So leaving the key on the USB would really make no sense. That is why I was interested in the way of saving it on a FTP Server and get it at boot. But I didn't find a description, which is up to date to the recent Unraid version. 

[Terebi]

On 4/23/2024 at 3:09 PM, Milvus said:

Thanks for your reply! That was exactly the thought: someone grabs the disks and takes them with him. So leaving the key on the USB would really make no sense. That is why I was interested in the way of saving it on a FTP Server and get it at boot. But I didn't find a description, which is up to date to the recent Unraid version. 

 

The instructions to get to the FTP including hostname, username, and password, would need to be on the USB for that to work. So anyone who has your USB can also go do those things, unless there are firewalls in the way of the FTP

 

Depending on who you are worried about, where that FTP is, how it itself is protected, that again may reduce effective security to zero. 

 

 

[Milvus]

yes, that is true, but assuming I would set up the FTP inside my home, directly on the router, it should work. If the plates get robbed, I could still stop the FTP running.

 

[Terebi]

It depends on what threat model you are worried about.  

 

A random robber probably isn't looking for your unraid server. And they also probably don't care about your media or whatever else you have on it either.

 

If you are a prolific pirate, hacker,  or some other kind of criminal worth busting, the authorities are going to take your drives, and probably also your router. 

 

In the US at least, in 99% of circumstances you cannot be forced to turn over a password that is in your head.  You CAN be forced to turn over any hardware. And destroying or deleting from your hardware if they for some reason left it behind, is itself a crime. 

 

Similarly in a lawsuit they can subpoena all the hardware, and having  the key on your router suddenly be gone will put you in contempt and possibly lose whatever case you have. 

 

Your unraid box is still accessible via vpn or whatever even if the array is stopped. My machine reboots once every few months. 99% of the time I rebooted it on purpose for an upgrade or because I'm tinkering with it for some reason.  Unexpected reboots are like 1/x a year, for a power outage or something.  Having the array be down until I can remote in and type in the password once a year, is well worth the additional security. 

Edited May 3 by Terebi

[scorcho99]

I have stop and go scripts that upload the keyfile contents to a website that expires the upload after an hour. Then the go file downloads from there. I can also manually enter the passphrase. This means common reboots for software updates or to quickly add a drive I don't have to do anything. But if the whole server is stolen they'd have to rapidly reboot it to get it to unlock. I think this meets the threat model of "my server got stolen" pretty well.

[Terebi]

On 5/11/2024 at 9:39 PM, scorcho99 said:

I have stop and go scripts that upload the keyfile contents to a website that expires the upload after an hour. Then the go file downloads from there. I can also manually enter the passphrase. This means common reboots for software updates or to quickly add a drive I don't have to do anything. But if the whole server is stolen they'd have to rapidly reboot it to get it to unlock. I think this meets the threat model of "my server got stolen" pretty well.

Im not sure I understand what you are saying.  When you stop the array, the file gets uploaded? Then something else (not in unraid)  deletes that file after an hour?  and if the file is still there at start, it autostarts?

[scorcho99]

40 minutes ago, Terebi said:

Im not sure I understand what you are saying.  When you stop the array, the file gets uploaded? Then something else (not in unraid)  deletes that file after an hour?  and if the file is still there at start, it autostarts?

Yes, essentially. The keyfile is uploaded to on online service with curl that temporarily holds files which expire after an hour. When the array starts it attempts to pull down the uploaded file first and use it. The script is based on a separate USB flash drive for the keyfile script I found on here somewhere. The temporary online service was my own addition, basically removing the need to even plug the special unlock keyfile flash drive in when the most common reboot cases occur.

[Milvus]

I understand now, that it is too elaborate, to do it, so even though I don't like it, I let it rest. Thank you for your support.

[Dtrain]

On 5/15/2024 at 10:28 PM, scorcho99 said:

Yes, essentially. The keyfile is uploaded to on online service with curl that temporarily holds files which expire after an hour. When the array starts it attempts to pull down the uploaded file first and use it. The script is based on a separate USB flash drive for the keyfile script I found on here somewhere. The temporary online service was my own addition, basically removing the need to even plug the special unlock keyfile flash drive in when the most common reboot cases occur.

would u be so kind to provide instcutions / your script ?

[scorcho99]

@Dtrain

 

This is a cutdown version of the script with just the temporary file service upload and download mechanism.

 

Add or create the "go" and "stop" files in ./config/ on your flash drive

While it will probably work as is, I'd recommend changing RandomPassPhraseStringOne and StaticEncryptPassword to your own random strings.

(The idea here is you don't necessarily trust the file service to be holding your raw keyfile password, so we first encrypt it with a different local password)

 

go file:

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
#first check if we have a remote key to use and use that
if [ -f "/boot/config/keyfile_remote.hint" ]; then
    REMOTE_GET_TARGET=$(<"/boot/config/keyfile_remote.hint")    
    wget "${REMOTE_GET_TARGET}" --tries=5 --waitretry=15 --output-document=/root/pulldown.enc
    if [ -s "/root/pulldown.enc" ]; then
        openssl enc -d -aes-256-cbc -pbkdf2 -iter 20000 -in /root/pulldown.enc -out /root/keyfile -k RandomPassPhraseStringOne -pass pass:StaticEncryptPassword
    fi
    rm "/boot/config/keyfile_remote.hint"
    rm /root/pulldown.enc
fi
#start array if it didn't already take, bizarrely this is done by sending a curl command to the server itself
sleep 30
if [ ! -e /mnt/disk1 ]; then
    echo "manual mount"
    CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+')
    RESULT=$(curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start" http://localhost/update.htm)
else
    echo "array already mounted"
fi

 

stop file:

#!/bin/bash
#stop file with handlers for remote upload

#removed custom vm shutdown script from here

#====start push up an ecrypted copy of the keyfile to a temporary file service
if [ -f "/root/pushup.enc" ]; then
    rm "/root/pushup.enc"
fi
if [ -f "/root/keyfile" ]; then
    openssl enc -aes-256-cbc -pbkdf2 -iter 20000 -in /root/keyfile -out /root/pushup.enc -k RandomPassPhraseStringOne -pass pass:StaticEncryptPassword
    if [ -s "/root/pushup.enc" ]; then
        SUCCESS=0
        FINALURL=""
        echo "tmpfiles.org try"
        DATARETURN=$(curl -F "file=@/root/pushup.enc" https://tmpfiles.org/api/v1/upload )
        #jq r option drops quotes
        STATUS=$(jq -r '.status' <<<"$DATARETURN")
        if [[ $STATUS == "success" ]]; then
            URLDATARET=$(jq -r '.data' <<<"$DATARETURN")
            URLRET=$(jq -r '.url' <<<"$URLDATARET")
            if [ "x$URLRET" = "x" -o "$URLRET" = "null" ];then
                echo "error extracting url"
            else
                #add the /dl to the url for direct download, otherwise this downloads the webpage not the file
                FINALURL="${URLRET/tmpfiles.org/"tmpfiles.org/dl"}"
                SUCCESS=1
            fi

        else
            echo "tmpfiles.org failed upload"
        fi

        #if not success, try others
        if [ $SUCCESS -eq 0 ]; then
            echo "file.io try"
            DATARETURN=$(curl -F "file=@/root/pushup.enc" https://file.io/?expires=60m)
            STATUS=$(jq -r '.success' <<<"$DATARETURN")
            if [[ $STATUS == "true" ]]; then
                FINALURL=$(jq -r '.link' <<<"$DATARETURN")
                if [ "x$FINALURL" = "x" -o "$FINALURL" = "null" ];then
                    echo "error extracting url"
                else
                    SUCCESS=1
                fi
            else
                echo "file.io failed upload"
            fi
        fi

        #if not success, try others
        if [ $SUCCESS -eq 0 ]; then
            echo "transfer.sh try"
            FINALURL=$(curl -H "Max-Downloads: 1" -H "Max-Days: 1" --upload-file "/root/pushup.enc" https://transfer.sh/pushup.enc)
            if [ "x$FINALURL" = "x" -o "$FINALURL" = "null" ];then
                echo "error extracting url"
            else
                SUCCESS=1
            fi
        fi

        #finally write file
        if [ $SUCCESS -eq 1 ]; then
            echo "${FINALURL}" > "/boot/config/keyfile_remote.hint"
        fi
    else
        echo "pushup.enc not found or empty!"
    fi
else
    echo "no keyfile found!"
fi
#=========end push up