Milvus Posted April 18 Share Posted April 18 (edited) Hey people, I am a newbie, setting up the UNRAID from scratch. I wanted to encrypt the Arrays for an extra level of security. Now I saw some video for an older version of Unraid to use a FTP Server to get the keyfile and automatically start the array. I am referring to this one: I tried that, found out it didn't work, did some research and seems that with the latest version of UNRAID this way does not work anymore, due to some changes. I saw several posts with people wondering what to do. Now my question is, if someone has a manual how to do it? FTP Server is running. In the manual to UNRAID I saw that it is not necessarily recommended to use an encryption. Why ist that? I would appreciate any help, thanks in advance! Edited April 18 by Milvus Quote Link to comment
itimpi Posted April 18 Share Posted April 18 57 minutes ago, Milvus said: In the manual to UNRAID I saw that it is not necessarily recommended to use an encryption. Why ist that? The problem with using encryption is that if you end up with file system level corruption then encryption can compromise recovery processes so it then becomes critical that you have a good (and tested) backup strategy in place. Quote Link to comment
Milvus Posted April 19 Author Share Posted April 19 On 4/18/2024 at 10:00 PM, itimpi said: The problem with using encryption is that if you end up with file system level corruption then encryption can compromise recovery processes so it then becomes critical that you have a good (and tested) backup strategy in place. thank you for your reply! but what exactly does it mean? Also read that in the manual, but don't really get it. Is there a further / deeper explanation possible or a source where to learn more about it? So it is not adviced to do that extra level of security? Sorry for all these questions, but I would really like to set the Unraid up and also migrate the whole ioBroker onto it. Thank you in advance! Quote Link to comment
JonathanM Posted April 19 Share Posted April 19 24 minutes ago, Milvus said: what exactly does it mean? It means recovery from corruption can be impossible with encryption in the way. Corruption can happen with hardware errors, like bad RAM, cables, or power issues. The problem is, you don't know it's going to happen until it does, and RAID (of any sort, not just Unraid) can't always compensate, meaning unless you have complete backups, you will lose data. Unraid or any RAID can't help with file deletion or overwriting good data with bad, so backups are always needed, but with encryption, the recovery options are even more limited, so backups are even more necessary. If the data is important enough to encrypt, it's important enough to keep multiple copies in multiple locations. Quote Link to comment
Milvus Posted April 20 Author Share Posted April 20 Ah, thank you very much for clarifying. Actually, the Unraid shall serve as a NAS and SmartHome-Center, so the data on it would already be the backup, anyway I want to store data also somewhere else additionally. So in that case, from a professional point of view, would you not even advise to use encryption? For that, the question then still remains, how to get along with a passkey on a ftp server. Sorry again for maybe easy questions, but am a noob, trying to achieve some good outcome. Thank you all in advance! Quote Link to comment
Terebi Posted April 22 Share Posted April 22 "secure" and "automatic" are mutually exclusive unless you don't care about wide swaths of "secure" to the point that you shouldn't bother. Disk encryption protects against someone having physical access to your disks. In order to automatically decrypt the disks, the encryption key would need to be on your USB, or somewhere your USB can access. Anyone who has access to your disks also has access to your USB. Therefore the encryption is providing little to no value. There are some scripts that can improve this situation, by downloading the key at boot, but that means the key is sitting somewhere to be downloaded from. Depending on where that location is, and what kind of threat you are protecting against it may reduce effective security down to zeroish. Quote Link to comment
Milvus Posted April 23 Author Share Posted April 23 Thanks for your reply! That was exactly the thought: someone grabs the disks and takes them with him. So leaving the key on the USB would really make no sense. That is why I was interested in the way of saving it on a FTP Server and get it at boot. But I didn't find a description, which is up to date to the recent Unraid version. Quote Link to comment
Terebi Posted April 25 Share Posted April 25 On 4/23/2024 at 3:09 PM, Milvus said: Thanks for your reply! That was exactly the thought: someone grabs the disks and takes them with him. So leaving the key on the USB would really make no sense. That is why I was interested in the way of saving it on a FTP Server and get it at boot. But I didn't find a description, which is up to date to the recent Unraid version. The instructions to get to the FTP including hostname, username, and password, would need to be on the USB for that to work. So anyone who has your USB can also go do those things, unless there are firewalls in the way of the FTP Depending on who you are worried about, where that FTP is, how it itself is protected, that again may reduce effective security to zero. Quote Link to comment
Milvus Posted April 30 Author Share Posted April 30 yes, that is true, but assuming I would set up the FTP inside my home, directly on the router, it should work. If the plates get robbed, I could still stop the FTP running. Quote Link to comment
Terebi Posted May 3 Share Posted May 3 (edited) It depends on what threat model you are worried about. A random robber probably isn't looking for your unraid server. And they also probably don't care about your media or whatever else you have on it either. If you are a prolific pirate, hacker, or some other kind of criminal worth busting, the authorities are going to take your drives, and probably also your router. In the US at least, in 99% of circumstances you cannot be forced to turn over a password that is in your head. You CAN be forced to turn over any hardware. And destroying or deleting from your hardware if they for some reason left it behind, is itself a crime. Similarly in a lawsuit they can subpoena all the hardware, and having the key on your router suddenly be gone will put you in contempt and possibly lose whatever case you have. Your unraid box is still accessible via vpn or whatever even if the array is stopped. My machine reboots once every few months. 99% of the time I rebooted it on purpose for an upgrade or because I'm tinkering with it for some reason. Unexpected reboots are like 1/x a year, for a power outage or something. Having the array be down until I can remote in and type in the password once a year, is well worth the additional security. Edited May 3 by Terebi 1 Quote Link to comment
scorcho99 Posted May 12 Share Posted May 12 I have stop and go scripts that upload the keyfile contents to a website that expires the upload after an hour. Then the go file downloads from there. I can also manually enter the passphrase. This means common reboots for software updates or to quickly add a drive I don't have to do anything. But if the whole server is stolen they'd have to rapidly reboot it to get it to unlock. I think this meets the threat model of "my server got stolen" pretty well. Quote Link to comment
Terebi Posted May 15 Share Posted May 15 On 5/11/2024 at 9:39 PM, scorcho99 said: I have stop and go scripts that upload the keyfile contents to a website that expires the upload after an hour. Then the go file downloads from there. I can also manually enter the passphrase. This means common reboots for software updates or to quickly add a drive I don't have to do anything. But if the whole server is stolen they'd have to rapidly reboot it to get it to unlock. I think this meets the threat model of "my server got stolen" pretty well. Im not sure I understand what you are saying. When you stop the array, the file gets uploaded? Then something else (not in unraid) deletes that file after an hour? and if the file is still there at start, it autostarts? Quote Link to comment
scorcho99 Posted May 15 Share Posted May 15 40 minutes ago, Terebi said: Im not sure I understand what you are saying. When you stop the array, the file gets uploaded? Then something else (not in unraid) deletes that file after an hour? and if the file is still there at start, it autostarts? Yes, essentially. The keyfile is uploaded to on online service with curl that temporarily holds files which expire after an hour. When the array starts it attempts to pull down the uploaded file first and use it. The script is based on a separate USB flash drive for the keyfile script I found on here somewhere. The temporary online service was my own addition, basically removing the need to even plug the special unlock keyfile flash drive in when the most common reboot cases occur. Quote Link to comment
Milvus Posted May 17 Author Share Posted May 17 I understand now, that it is too elaborate, to do it, so even though I don't like it, I let it rest. Thank you for your support. Quote Link to comment
Dtrain Posted June 17 Share Posted June 17 On 5/15/2024 at 10:28 PM, scorcho99 said: Yes, essentially. The keyfile is uploaded to on online service with curl that temporarily holds files which expire after an hour. When the array starts it attempts to pull down the uploaded file first and use it. The script is based on a separate USB flash drive for the keyfile script I found on here somewhere. The temporary online service was my own addition, basically removing the need to even plug the special unlock keyfile flash drive in when the most common reboot cases occur. would u be so kind to provide instcutions / your script ? Quote Link to comment
scorcho99 Posted July 3 Share Posted July 3 @Dtrain This is a cutdown version of the script with just the temporary file service upload and download mechanism. Add or create the "go" and "stop" files in ./config/ on your flash drive While it will probably work as is, I'd recommend changing RandomPassPhraseStringOne and StaticEncryptPassword to your own random strings. (The idea here is you don't necessarily trust the file service to be holding your raw keyfile password, so we first encrypt it with a different local password) go file: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & #first check if we have a remote key to use and use that if [ -f "/boot/config/keyfile_remote.hint" ]; then REMOTE_GET_TARGET=$(<"/boot/config/keyfile_remote.hint") wget "${REMOTE_GET_TARGET}" --tries=5 --waitretry=15 --output-document=/root/pulldown.enc if [ -s "/root/pulldown.enc" ]; then openssl enc -d -aes-256-cbc -pbkdf2 -iter 20000 -in /root/pulldown.enc -out /root/keyfile -k RandomPassPhraseStringOne -pass pass:StaticEncryptPassword fi rm "/boot/config/keyfile_remote.hint" rm /root/pulldown.enc fi #start array if it didn't already take, bizarrely this is done by sending a curl command to the server itself sleep 30 if [ ! -e /mnt/disk1 ]; then echo "manual mount" CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') RESULT=$(curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start" http://localhost/update.htm) else echo "array already mounted" fi stop file: #!/bin/bash #stop file with handlers for remote upload #removed custom vm shutdown script from here #====start push up an ecrypted copy of the keyfile to a temporary file service if [ -f "/root/pushup.enc" ]; then rm "/root/pushup.enc" fi if [ -f "/root/keyfile" ]; then openssl enc -aes-256-cbc -pbkdf2 -iter 20000 -in /root/keyfile -out /root/pushup.enc -k RandomPassPhraseStringOne -pass pass:StaticEncryptPassword if [ -s "/root/pushup.enc" ]; then SUCCESS=0 FINALURL="" echo "tmpfiles.org try" DATARETURN=$(curl -F "file=@/root/pushup.enc" https://tmpfiles.org/api/v1/upload ) #jq r option drops quotes STATUS=$(jq -r '.status' <<<"$DATARETURN") if [[ $STATUS == "success" ]]; then URLDATARET=$(jq -r '.data' <<<"$DATARETURN") URLRET=$(jq -r '.url' <<<"$URLDATARET") if [ "x$URLRET" = "x" -o "$URLRET" = "null" ];then echo "error extracting url" else #add the /dl to the url for direct download, otherwise this downloads the webpage not the file FINALURL="${URLRET/tmpfiles.org/"tmpfiles.org/dl"}" SUCCESS=1 fi else echo "tmpfiles.org failed upload" fi #if not success, try others if [ $SUCCESS -eq 0 ]; then echo "file.io try" DATARETURN=$(curl -F "file=@/root/pushup.enc" https://file.io/?expires=60m) STATUS=$(jq -r '.success' <<<"$DATARETURN") if [[ $STATUS == "true" ]]; then FINALURL=$(jq -r '.link' <<<"$DATARETURN") if [ "x$FINALURL" = "x" -o "$FINALURL" = "null" ];then echo "error extracting url" else SUCCESS=1 fi else echo "file.io failed upload" fi fi #if not success, try others if [ $SUCCESS -eq 0 ]; then echo "transfer.sh try" FINALURL=$(curl -H "Max-Downloads: 1" -H "Max-Days: 1" --upload-file "/root/pushup.enc" https://transfer.sh/pushup.enc) if [ "x$FINALURL" = "x" -o "$FINALURL" = "null" ];then echo "error extracting url" else SUCCESS=1 fi fi #finally write file if [ $SUCCESS -eq 1 ]; then echo "${FINALURL}" > "/boot/config/keyfile_remote.hint" fi else echo "pushup.enc not found or empty!" fi else echo "no keyfile found!" fi #=========end push up 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.