Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Where does disk encryption stand?

Featured Replies

Is there any particular reason Unraid doesn't use the TPM to store the key? Is this a Linux thing? Or more of a file system thing? It's just strange coming from Windows is all...

  • Replies 130
  • Views 41.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • To add on what bonienl said...   In current 6.4.0-rc series unRAID uses the default settings for LUKS as defined by current version of cryptsetup.  These have been chosen by the developers t

  • You can change the passphrase/keyfile without reformatting but you have to use the 'cryptsetup' command to do it. First you have to add your new passphrase: cryptsetup luksAddKey /dev/md1 #

  • Not exactly.  When you initially decide to use encryption you have to decide, "Am I going to use a passphrase or a file as my encryption/decryption method?".   If you use passphrase, this is

Posted Images

2 hours ago, xRadeon said:

Is there any particular reason Unraid doesn't use the TPM to store the key? Is this a Linux thing? Or more of a file system thing? It's just strange coming from Windows is all...

Even coming from linux, it's rather peculiar to have such importance put on a USB stick. And it seems insecure. You grab the stick, change config and you have full remote access to everything on the server. I don't know, I would not design it this way either.

I'm experienced closing down co-located hardware in ways that prevent datacenter personnel or thieves from easily getting access to the data and servers. A USB stick with the bootloader and full config is not exactly how I would do that..

Edited by fluisterben

The passphrase (or key-file) to unlock encryption is not stored permanently on the system or the USB device at all.

The passphrase (or key-file) is needed to start the encrypted array. At this point the system asks for input and saves it in the folder /root (in RAM).

Once the array is started the file in /root isn't needed anymore and the GUI offers the possibility to delete it. This prevents any theft or security breach..

File deletion however means that when the array is stopped and restarted, it is necessary to enter the previous passphrase (key-file) information again.

 

Many new users are needlessly concerned about the role of the USB flash drive Unraid boots from.

 

Here is one way to think of this.

 

Unraid is an "embedded" system, like many NAS, or your router, or other devices that have "firmware". The OS is loaded from the "firmware" into RAM, and the OS runs completely in RAM.

 

The USB flash drive in Unraid is "firmware" that is easily updated, easily backed up, easily replaced. And because all these things are easily accessible, it is impossible to "brick" this "firmware".

19 hours ago, trurl said:

The USB flash drive in Unraid is "firmware" that is easily updated, easily backed up, easily replaced. And because all these things are easily accessible, it is impossible to "brick" this "firmware".

Not sure if that would be reassuring for newcomers. ;-) It's the "easily updated" thing that makes it less secure. Unraid doesn't use a key-exchange or encrypted file-hash check over TLS or anything of that nature. Again, I'd advice to implement an alteration of CSF/LFD scripts built in the OS. At the very least you need to inform the user when files on the USB stick have been altered by something other than Lime tech themselves. Directory and file watching, with a default set of dirs and files. Thus far I've not seen unraid do anything of that nature. For now we should see unraid as a DMZ and treat it as such, but still, the easily removable flash with its firmware, hmm.

For our use here at home I'm not worried, because our unraid hardware is very well hidden, but any USB stick that can be pulled out, which itself isn't encrypted in any way, on which you can easily put something that boots for your remote exploit is not 'secure'; You take it out, put it in a laptop or smartphone, change config or plant that exploit, put it back in, powercycle the server, and you have your remote root access, done in 1 minute flat. Just sayin'.

  • 2 years later...

Does anyone backup their luksHeader to a bin file in case of corruption? Is there any scenario where having it would save you from data loss?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.