JesterEE Posted November 3, 2019 Share Posted November 3, 2019 20 minutes ago, JohnS said: All the methods above are using servers on the lan or remotely, which I can see the use case for, but could Unraid also use a similar method as Bitlockered Microsoft Windows, using an inserted USB flash drive which has the keyfile on it. You can, but I don't really see the point. Physical access to the drives gives physical access to the USB key, and your encryption is no longer really helping you keep your data safe. Quote Link to comment
JohnS Posted November 3, 2019 Share Posted November 3, 2019 You would remove the key after booting/rebooting, as I do now with my windows machine, if I'm away from home my wife has a copy of the USB key so she can restart the Windows server, to access her files. I'm looking to replace the windows machine with Unraid, so the same method would be helpful. Quote Link to comment
Reynald Posted November 26, 2019 Share Posted November 26, 2019 (edited) Hello all, I just set a similar thing up, but unraid is slave of a "keyserver" that is a pi on my network. Here is the script used on the pi. It can be called every minute by a cron task: #!/bin/bash server_adress="192.168.1.234" server_mac="00:A1:B2:3C:4D:EF" ssh_key="/root/.ssh/id_rsa" decryption_key="/root/.ssh/keyfile" decrypted_testfile="/mnt/disk4/.decrypted" boot_time="140s" echo "" echo "Checking connectivity:" if ping -c1 $server_adress >/dev/null; then echo "- Server online" else echo "- Oups, server offline" echo "- Waking up server on lan" wakeonlan -i $server_adress $server_mac echo "- Waiting $boot_time for server to start" sleep $boot_time fi echo"" if ssh -q -i $ssh_key root@$server_adress [[ -f $decrypted_testfile ]]; then echo "- Decrypted" if ssh -q -i $ssh_key root@$server_adress [[ -f /root/keyfile ]]; then echo "- Deleting decryption key" ssh -i $ssh_key root@$server_adress 'rm /root/keyfile' fi else echo "- Encrypted" echo "- Sending decryption key.." scp -i $ssh_key $decryption_key root@$server_adress:/root/keyfile echo "- Starting emhttp.." echo "- Waiting for array.." ssh -i $ssh_key root@$server_adress '/usr/local/sbin/emhttp &' while ! ssh -q -i $ssh_key root@$server_adress [[ -f $decrypted_testfile ]]; do sleep 5 done echo "- Array mounted and decrypted" echo "- Deleting decryption key" ssh -i $ssh_key root@$server_adress 'rm /root/keyfile' echo "" echo "All done!" fi echo "" note: to be adapted according to your need. server.local to be replaced by unraid IP if not resolved. If you have any comment/question, please tell/ask Edited November 26, 2019 by Reynald Quote Link to comment
dweb Posted January 4, 2020 Share Posted January 4, 2020 This forum helped me a lot so I also wanted to share my "Unlocking" Processs for Unraid, maybe this is interesting to someone. My goal was kind of a 2 Factor authentication with my phone to be able to react if UNRAID boots up when I am not home to see what happened. Maybe you have some more ideas or please let me know if there are any security breaches/concerns as I am quite new to the linux world. My go file looks: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & #Send Pushover Message that UNRAID started and needs the keyfile curl -s \ --form-string "token=TOKENID" \ --form-string "user=USERID" \ --form-string "message=UNRAID STARTED" \ --form-string "priority=1" \ https://api.pushover.net/1/messages.json This means after a reboot I get a Pushover notification on my Android. The buzzword "UNRAID STARTED" triggers Tasker to close this Pushover Notification and instead show me a new notification with a button "UNLOCK" on it. This Unlock button will trigger my OpenVPN to access my local network, then it will ssh into my Unraid server with the follwowing command: ssh root@SERVER "pkill emhttpd && echo -n 'YOUR-KEY-HERE' > /root/keyfile && /usr/local/sbin/emhttp" Especially on the last part with the pkill emhttpd I am not sure if this is a clean solution. Probably you have better ideas. Quote Link to comment
ken-ji Posted January 4, 2020 Share Posted January 4, 2020 @dweb emhttp is not meant to be restarted AFAIK. You might want to just move the the emhttp startup at the very end, while doing a loop - waiting for the keyfile before starting emhttp. This is untested and might have a nasty side effect of disabling the unRAID GUI until you've provided the keyfile. while [ ! -f /root/keyfile ]; do sleep 60 done Maybe the others know the CLI command for stopping and starting the array - so you can restart it instead. Quote Link to comment
dweb Posted January 4, 2020 Share Posted January 4, 2020 I was further searching in the forum and ended up with the following code which my phone sends via ssh: echo -n 'YOUR_KEY' > /root/keyfile \ && CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') \ && curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start&luksKey=/root/keyfile" http://localhost/update.htm First it generates the keyfile, then it reads the csrf token for webui, then it starts the array with the token and the keyfile. Seems to work so far. 1 Quote Link to comment
Shad0wWulf Posted January 12, 2020 Share Posted January 12, 2020 On 1/4/2020 at 2:02 AM, dweb said: This forum helped me a lot so I also wanted to share my "Unlocking" Processs for Unraid, maybe this is interesting to someone. My goal was kind of a 2 Factor authentication with my phone to be able to react if UNRAID boots up when I am not home to see what happened. Maybe you have some more ideas or please let me know if there are any security breaches/concerns as I am quite new to the linux world. My go file looks: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & #Send Pushover Message that UNRAID started and needs the keyfile curl -s \ --form-string "token=TOKENID" \ --form-string "user=USERID" \ --form-string "message=UNRAID STARTED" \ --form-string "priority=1" \ https://api.pushover.net/1/messages.json This means after a reboot I get a Pushover notification on my Android. The buzzword "UNRAID STARTED" triggers Tasker to close this Pushover Notification and instead show me a new notification with a button "UNLOCK" on it. This Unlock button will trigger my OpenVPN to access my local network, then it will ssh into my Unraid server with the follwowing command: ssh root@SERVER "pkill emhttpd && echo -n 'YOUR-KEY-HERE' > /root/keyfile && /usr/local/sbin/emhttp" Especially on the last part with the pkill emhttpd I am not sure if this is a clean solution. Probably you have better ideas. Hey your tasker scipt sounds amazing! Any chance of sharing it? Quote Link to comment
rragu Posted February 10, 2020 Share Posted February 10, 2020 Hi, I believe that starting with 6.8, unRAID no longer saves a passphrase to a keyfile. So, does this mean the only way to autostart an encrypted array is to use a keyfile? Assuming there is some way to autostart using a passphrase: So I have my server at my parents' place since they have Gigabit internet and I don't. I generally use the OpenVPN docker to administer the server, although I do have a Raspberry Pi on their LAN that I connect to via VNC if OpenVPN isn't working properly. I was planning on storing the passphrase on the Raspberry Pi and having the server retrieve it via SMB at start. Is that advisable or should I configure it some other way? Any security concerns/issues to navigate? Quote Link to comment
deaerator Posted February 15, 2020 Share Posted February 15, 2020 On 4/2/2018 at 10:01 AM, bonienl said: A small variation if you want the key to be not locally present on the system when operational, the key is only needed during startup of the array. In the go file the following is included before starting emhttp. # auto unlock array mkdir -p /usr/local/emhttp/webGui/event/starting mkdir -p /usr/local/emhttp/webGui/event/started mkdir -p /usr/local/emhttp/webGui/event/stopped cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped # start webGUI /usr/local/sbin/emhttp & The above makes use of the built-in event system of unRAID. These events are created: starting : this event is called before the array is started and is used to fetch the key from a remote source started : this event is called after the array is fully operational and is used to delete the key locally. stopped : this event is called after the array is stopped and is used to fetch the key again from a remote source The script "fetch_key" can be any method to obtain the key remotely, e.g. using a mount method or a FTP (wget) method as explained in the video of @gridrunner The script "delete_key" is a simple file to delete the key locally. fetch_key #!/bin/bash if [[ ! -e /root/keyfile ]]; then mkdir -p /unlock mount -t cifs -o user=name,password=password,iocharset=utf8 //192.168.1.99/index /unlock cp -f /unlock/somefile.png /root/keyfile umount /unlock rm -r /unlock fi delete_key #!/bin/bash rm -f /root/keyfile You can start and stop the array as usual, and the key will be automatically fetched each time, provided that the remote service is up and running. The files "fetch_key" and "delete_key" need to be stored on your flash device. I've created the folder /custom/bin to hold my custom scripts, but one is free to choose their own source folder, please update the lines in the go file accordingly. Did something break in the latest unraid because I had this setup exactly like this and when the update happened, my array doesn't start automatically. I have to put the keyfile in everytime. I'm running NVIDIA Unraid 6.8.2 Quote Link to comment
ken-ji Posted February 15, 2020 Share Posted February 15, 2020 in 6.8 series, the USB drive is now mounted with execute permissions. So when you copy scripts from the USB, the scripts need to be marked executable with chmod a+x /usr/local/emhttpd/webGui/event/starting/fetch_key chmod a+x /usr/local/emhttpd/webGui/event/started/delete_key Quote Link to comment
deaerator Posted February 15, 2020 Share Posted February 15, 2020 Do I add that to the script somehwere? Quote Link to comment
bonienl Posted February 15, 2020 Author Share Posted February 15, 2020 19 minutes ago, deaerator said: Do I add that to the script somehwere? You need to add these commands to the 'go' script after the 'cp' commands in the "auto unlock array" section. Quote Link to comment
deaerator Posted February 15, 2020 Share Posted February 15, 2020 It worked, thank you. Quote Link to comment
HondSchaap Posted February 20, 2020 Share Posted February 20, 2020 I didn't really like being reliant on an externally hosted share or network connectivity, so I chose a different path. The way I solved it was by using a hardware encrypted USB drive. I bought an iStorage Datashur Pro, but there are cheaper drives available on Amazon which offer hardware encryption. Basically, I decrypt the drive, stick it in my system and use bonienl's script to mount and copy the keyfile off of it. As long as the drive is powered, the drive stays decrypted so it survives reboots and remains accessible. When power to the thumb drive is cut off, the drive re-encrypts itself and keeps the keyfile safe. Quote Link to comment
jayriavieock Posted April 18, 2020 Share Posted April 18, 2020 I'm having trouble getting the automount to work from the @SpaceInvaderOne video. I tested with the same keyfile on the flashdrive and it automounts but when I switch to the: wget --ftps-implicit --user=user --password='password' ftp://ftp.example.com/keyfile -O /root/keyfile it doesn't automount at all. It keeps saying wrong encryption key when it isn't. Has anyone figured this out? I'm new to unraid and can't figure out why it's not working. Quote Link to comment
jayriavieock Posted April 18, 2020 Share Posted April 18, 2020 15 hours ago, jayriavieock said: I'm having trouble getting the automount to work from the @SpaceInvaderOne video. I tested with the same keyfile on the flashdrive and it automounts but when I switch to the: wget --ftps-implicit --user=user --password='password' ftp://ftp.example.com/keyfile -O /root/keyfile it doesn't automount at all. It keeps saying wrong encryption key when it isn't. Has anyone figured this out? I'm new to unraid and can't figure out why it's not working. I figured out the issue. Filezilla kept uploading it as ASCII filetype instead of binary. it kept changing the file size ever so slightly and making the keyfile invalid. Got it working now! So, if uploading via Filezilla, make sure to upload as binary. Quote Link to comment
teh0wner Posted May 2, 2020 Share Posted May 2, 2020 How would one go on about auto-unlocking from a remote source if encryption was set-up with a passphrase? Quote Link to comment
itimpi Posted May 2, 2020 Share Posted May 2, 2020 Just now, teh0wner said: How would one go on about auto-unlocking from a remote source if encryption was set-up with a passphrase? If you set up the Wireguard VPN that is now built into Unraid that would allow you to securely remotely access the Unraid server (and thus its GUI to start the array) even without the array started. Quote Link to comment
teh0wner Posted May 2, 2020 Share Posted May 2, 2020 (edited) 59 minutes ago, itimpi said: If you set up the Wireguard VPN that is now built into Unraid that would allow you to securely remotely access the Unraid server (and thus its GUI to start the array) even without the array started. It's more of question of what if I'm unavailable to enter the passphrase, than not being able to. People reliant on the server would have to wait for me to enter the passphrase, whereas, I would prefer to automate this process with FTP or similar. Only downside, is I don't have a keyfile to follow the tutorials. Unless it's just a matter of echo "passphrase" > keyfile ? Edit: Indeed, that's the way. Edited May 2, 2020 by teh0wner 2 Quote Link to comment
teh0wner Posted May 3, 2020 Share Posted May 3, 2020 On 2/15/2020 at 12:08 PM, bonienl said: You need to add these commands to the 'go' script after the 'cp' commands in the "auto unlock array" section. I'm having some issues with the permissions as well. Even adding the chmod in go, it doesn't seem to apply on boot. root@XXX-XXXX:/usr/local/emhttp/webGui/event/starting# ls -ltra total 4 drwxr-xr-x 9 root root 180 May 3 10:54 ../ -rw------- 1 root root 164 May 3 10:54 fetch_key drwxrwxrwx 2 root root 60 May 3 10:54 ./ And my go looks like this root@XXX-XXX:/boot/config# cat go #!/bin/bash # auto unlock array mkdir -p /usr/local/emhttp/webGui/event/starting mkdir -p /usr/local/emhttp/webGui/event/started mkdir -p /usr/local/emhttp/webGui/event/stopped cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped chmod a+x /usr/local/emhttpd/webGui/event/starting/fetch_key chmod a+x /usr/local/emhttpd/webGui/event/started/delete_key chmod a+x /usr/local/emhttpd/webGui/event/stopped/fetch_key # Start the Management Utility /usr/local/sbin/emhttp & The actual fetch_key and delete_key scripts work fine, as when I chmod them manually and run, they work. Quote Link to comment
I Enjoy Creating Videos Posted August 11, 2020 Share Posted August 11, 2020 Is there a way i can store the keyfile on a usb stick then when unraid boots up it would see that other usb stick that is plugged in to the server and auto boot the keyfile like would i just edit the "GO file" if so how would i do that so it would work? Thanks Quote Link to comment
Henrikus Posted August 31, 2020 Share Posted August 31, 2020 Hi, I just updated my server to > 6.8 and "fell" into the permissions issue with my go file using a "fetch_key" and "delete_key" as described in this thread. I just wanted to summarize what I found to be working now. According this post, all we have to do is add another copy and a chmod. So now the section in my "go file" for the "fetch_key" looks like this: mkdir -p /usr/local/emhttp/webGui/event/starting mkdir -p /usr/local/emhttp/webGui/event/started mkdir -p /usr/local/emhttp/webGui/event/stopped cp -f /boot/custom/bin/fetch_key /tmp cp -f /boot/custom/bin/delete_key /tmp chmod a+x /tmp/fetch_key chmod a+x /tmp/delete_key cp -f /tmp/fetch_key /usr/local/emhttp/webGui/event/starting cp -f /tmp/delete_key /usr/local/emhttp/webGui/event/started cp -f /tmp/fetch_key /usr/local/emhttp/webGui/event/stopped The "fetch_key" and "delete_key" files needed no changes on my setup. Quote Link to comment
nearcatch Posted November 19, 2020 Share Posted November 19, 2020 On 7/13/2019 at 2:14 PM, beckp said: I thought I'd share how you can enhanced the go file by reducing the six lines to a single command and it's not by using another script. You can create a tar ball that contains the fetch_key and delete_key scripts. The go file calls the tar command. The tar ball files are extracted and event directories are created. You MUST have a fully functioning auto-start that unlocks using the event directories. This works with FTP or SMB fetch_key scripts. I used the tarball method shared by beckp and it works in 6.9.0 beta 35. Simply one line in the go file and one tarball stored on the flash drive, and now my unRAID dynamically pulls the encryption key off of a local server when needed. Quote Link to comment
beckp Posted November 25, 2020 Share Posted November 25, 2020 hasown - Glad you like it. It even solves the permission issue before it became an issue. Sure makes the go file clean. It's been over a year and it appears only you have tried it. I "obfuscated" the fetch_key script. The IP address, user name, share name and key file name are obscured. Sure it can be hacked, but it's better than plain text. If anyone is interested I'll share it. As stated earlier in this topic, I've got a headless Raspberry Pi Zero W operating as my server. 1 Quote Link to comment
beckp Posted November 25, 2020 Share Posted November 25, 2020 JPs - On 8/11/2020 at 7:20 AM, JP s said: Is there a way i can store the keyfile on a usb stick then when unraid boots up it would see that other usb stick that is plugged in to the server and auto boot the keyfile like would i just edit the "GO file" if so how would i do that so it would work? Thanks Take alook at this post... https://forums.unraid.net/topic/61408-where-does-disk-encryption-stand/?do=findComment&comment=637835 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.