Jump to content
bonienl

How to enable encryption in unRAID 6.4-rc8q

23 posts in this topic Last Reply

Recommended Posts

For those who are interested in using encryption, here follows a short tutorial.

 

FIRST: when adding or removing encryption to/from a device, it needs to be formatted and ALL data on it is LOST.

 

1. Start your system with the array stopped or stop the array if it is already running

2. Go to settings -> Encryption Settings

2. Go to Main page

 

imageproxy.php?img=&key=00b562fcac28e727rc8-demo1.thumb.png.68b2438ef72a6c80ae6743a75ca312ae.png

 

3. You need to enter either a passphrase or select a keyfile, which is used to encrypt and decrypt the content of the device(s) with encryption enabled.

 

Forgetting the passphrase or loosing the keyfile will result in NO RECOVERY of the encrypted device content.

 

rc8-demo2.thumb.png.11075ed2287b5e5b4f8a30a48528002b.png

 

4. Once a passphrase is entered or keyfile is selected, click Apply and go to the MAIN page. Here click on the device for which you want to enable encryption.

5. Change the File system type to one of the available encrypted choices

 

rc8-demo3.thumb.png.6d329d992d03c47ad86c950ba6a39b8c.png

 

6. Start the array. Any new device with encryption enabled will be shown as unmountable.

 

rc8-demo4.thumb.png.67f9bb0bd7550e485e6423dc041652cb.png

 

7. The device needs to be formatted, and prepared for encrypted content.

 

rc8-demo5.thumb.png.6765e823fe952b5c458967e0769326e1.png

 

8. Once formatting is finished, the newlt encrypted device is available in the array. And a green padlock is shown to indicate the encryption status.

 

rc8-demo6.thumb.png.287b59b97dfca007d7259b1f68f6a878.png

 

That's it. Enjoy your encrypted content!

 

 

Edited by bonienl
  • Upvote 1

Share this post


Link to post
32 minutes ago, johnnie.black said:

How do you check filesystem on an encrypted disk? Normal way doesn't work, there's also no GUI option for it.

 

That is something for Tom to answer. Since the LUKS encryption is an extra layer in between, I am not sure how disk repair utilities handle this situation.

 

Share this post


Link to post
7 hours ago, johnnie.black said:

How do you check filesystem on an encrypted disk? Normal way doesn't work, there's also no GUI option for it.

 

Same as non-encrypted: start in Maintenance mode.  However, there is a bug in -rc8q which prevents 'Check' from being displayed - fixed in next -rc.

 

Also: implemented suggestion from @ljm42 to not let you choose an encrypted file system unless you have an encryption key set.

  • Upvote 1

Share this post


Link to post
Just now, limetech said:

Same as non-encrypted: start in Maintenance mode.

 

I tried that and it didn't work, e.g., start in maintenance mode and run xfs_repair /dev/mdX

Share this post


Link to post
1 minute ago, johnnie.black said:

 

I tried that and it didn't work, e.g., start in maintenance mode and run xfs_repair /dev/mdX

 

Right, that's fixed in next release.

Share this post


Link to post

Is this not available in the 6.4.0_rc15e trial version?

settings -> Encryption Settings ; doesn't exist for me.

Edited by shai

Share this post


Link to post
Is this not available in the 6.4.0_rc15e trial version?

settings -> Encryption Settings ; doesn't exist for me.

 

It changed, select an encrypted filesystem for one of your devices and you'll see the encryption options on the main page.

 

 

Share this post


Link to post

If your existing drive is full and want to Encrypt is there a best method. 

 

Ie buy a second drive, Encrypt, copy date from full drive to new encrypted drive?

 

EDIT: Bonienl, thanks for the guide. 

 

 

Edited by Greygoose

Share this post


Link to post
  1. Any plan to add backup/restore for LUKS header information, without requiring the user to switch to command-line mode?
  2. Any plan to add a button for pre-fill with a scratch key? It's a recommended practice to do a full write pass (normally copying from /dev/zero while encrypting using a temporary LUKS key) of the full disk surface before creating the encrypted file system, to make sure that a viewer can't analyze the disk and figure out what is unused disk space and what is real file data.
  3. Any plan for supporting more than one passphrase? LUKS can have several key slots allowing multiple passphrases. This means multiple persons can be given individual passphrases and one specific passphrase can later be invalidated while still giving access to the data using one of the other passphrases.

Share this post


Link to post
6 hours ago, pwm said:

Any plan to add backup/restore for LUKS header information, without requiring the user to switch to command-line mode?

 

Yes.

 

6 hours ago, pwm said:

Any plan to add a button for pre-fill with a scratch key? It's a recommended practice to do a full write pass (normally copying from /dev/zero while encrypting using a temporary LUKS key) of the full disk surface before creating the encrypted file system, to make sure that a viewer can't analyze the disk and figure out what is unused disk space and what is real file data.

 

Perhaps we will build a webGui based tool to do this. Of course you can accomplish via command line now.

6 hours ago, pwm said:

y plan for supporting more than one passphrase? LUKS can have several key slots allowing multiple passphrases.

 

Yes.

Share this post


Link to post

I watched spaceinvader one's tutorial on how to set up disk encryption but I can't seem to get the disk to encrypt.  SSL login is set up, I changed the default file system to xfs - encrypted under disk settings, stopped the array, removed a disk from the array so I could delete the partition, re-added the disk to the array, and restarted the array.  When I select to format the newly added disk, it formats as xfs.  Am I doing something wrong?

Share this post


Link to post
28 minutes ago, Aquamac said:

removed a disk from the array so I could delete the partition, re-added the disk to the array, and restarted the array

You don't need to remove the disk from the array, just stop the array, on the main page click on the disk, change filesystem to xfs encrypted, start the array and format the disk (all data on data disk will be lost)

Share this post


Link to post
6 minutes ago, johnnie.black said:

You don't need to remove the disk from the array, just stop the array, on the main page click on the disk, change filesystem to xfs encrypted, start the array and format the disk (all data on data disk will be lost)

 

Thanks jb.  I didn't know I could select the file system type on each disk.

Share this post


Link to post

Just wondering how you can change your encryption key without having to move all of the data off of the drive and reformat it?  Maybe I'm missing something really obvious?

Share this post


Link to post
46 minutes ago, dgriff said:

Just wondering how you can change your encryption key without having to move all of the data off of the drive and reformat it?  Maybe I'm missing something really obvious?

 

The encryption key you enter is not the key used to encrypt your device.  Instead, the key you enter decrypts the master key used to actually encrypt/decrypt you device.  The master key itself is randomly generated at the time the device encryption is set up and doesn't change.  There can be up to 8 encrypted copies of the master key, each with a different key or passphrase that unlocks it.  The link referenced by @tr0910 describes how to add additional encrypted master key copies via the command line.

Share this post


Link to post
Posted (edited)

No problem, I can do it through the command line with the command mentioned, just wasn't sure if there was a GUI option somewhere that I was missing to change a user key.  Was hoping this worked the same way as Veracrypt and the like and just using the user's key to encrypt the volume key so it can be modified easily.

Edited by dgriff

Share this post


Link to post
Posted (edited)
On 4/5/2018 at 2:37 AM, limetech said:

 

The encryption key you enter is not the key used to encrypt your device.  Instead, the key you enter decrypts the master key used to actually encrypt/decrypt you device.  The master key itself is randomly generated at the time the device encryption is set up and doesn't change.  There can be up to 8 encrypted copies of the master key, each with a different key or passphrase that unlocks it.  The link referenced by @tr0910 describes how to add additional encrypted master key copies via the command line.

 

I'm in the process of converting my array to an encrypted file system. Just to be absolutely sure, is the "master key" somehow embedded into the file system header on the disk itself or is it located somewhere on the boot volume? I'm pretty sure that I read that it's embedded in the header in that linked thread, but this technical stuff sometimes goes over my head (English is not my native tongue). I've had USB boot devices fail on me before and having such a key on the boot volume without backups would be enough to keep me awake at night...

Edited by sam19

Share this post


Link to post
3 hours ago, sam19 said:

 

I'm in the process of converting my array to an encrypted file system. Just to be absolutely sure, is the "master key" somehow embedded into the file system header on the disk itself or is it located somewhere on the boot volume? I'm pretty sure that I read that it's embedded in the header in that linked thread, but this technical stuff sometimes goes over my head (English is not my native tongue). I've had USB boot devices fail on me before and having such a key on the boot volume without backups would be enough to keep me awake at night...

 

Every encrypted volume will store a volume-unique encryption key in the volume header. These keys are automatically generated when the encrypted volumes are created.

That volume-unique encryption keys are stored encrypted in the volume header.

The volume header can store multiple slots of keys that can use different passphrases or key files to unlock the volume encryption key so the actual volume data can be accessed.

 

So you need to store a copy of the passphrase or key file needed to unlock the volume-unique encryption key.

 

If the purpose with the encrypted volumes is just to allow you to send in broken disks for warranty-replacement without worrying about the content, then you could keep a copy of the unlock passphrase/key file on the USB thumb drive.

 

If the goal is to make sure that a burglar (or the police) can't unlock the disks, then you need to figure out how/where you should store the unlock key. And then find a way to manually enter the key when unRAID boots.

 

Anyway - you must not forget the passphrase or in some way lose the key file needed to unlock. In that would happen, all you can do is generate a new encrypted volume since there would be no way to access the stored content.

Share this post


Link to post
Posted (edited)

Thank you for your answer, @pwm! The basic idea is clear to me now.

Edited by sam19

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now