Encryption and auto-start


Recommended Posts

20 minutes ago, JohnS said:

 

All the methods above are using servers on the lan or remotely, which I can see the use case for, but could Unraid also use a similar method as Bitlockered Microsoft Windows, using an inserted USB flash drive which has the keyfile on it.

You can, but I don't really see the point. Physical access to the drives gives physical access to the USB key, and your encryption is no longer really helping you keep your data safe.

Link to comment

You would remove the key after booting/rebooting, as I do now with my windows machine, if I'm away from home my wife has a copy of the USB key so she can restart the Windows server, to access her files.

I'm looking to replace the windows machine with Unraid, so the same method would be helpful.

Link to comment
  • 4 weeks later...

Hello all,

 

I just set a similar thing up, but unraid is slave of a "keyserver" that is a pi on my network.

 

Here is the script used on the pi. It can be called every minute by a cron task:

#!/bin/bash
server_adress="192.168.1.234"
server_mac="00:A1:B2:3C:4D:EF"
ssh_key="/root/.ssh/id_rsa"
decryption_key="/root/.ssh/keyfile"
decrypted_testfile="/mnt/disk4/.decrypted"
boot_time="140s"

echo ""
echo "Checking connectivity:"
if ping -c1 $server_adress >/dev/null; then
        echo "- Server online"
else
        echo "- Oups, server offline"
        echo "- Waking up server on lan"
		wakeonlan -i $server_adress $server_mac
        echo "- Waiting $boot_time for server to start"
        sleep $boot_time
fi
echo""
if ssh -q -i $ssh_key root@$server_adress [[ -f $decrypted_testfile ]]; then
        echo "- Decrypted"
        if ssh -q  -i $ssh_key root@$server_adress [[ -f /root/keyfile ]]; then
                echo "- Deleting decryption key"
                ssh -i $ssh_key root@$server_adress 'rm /root/keyfile'
        fi
else
        echo "- Encrypted"
        echo "- Sending decryption key.."
        scp -i $ssh_key $decryption_key root@$server_adress:/root/keyfile
        echo "- Starting emhttp.."
        echo "- Waiting for array.."
        ssh -i $ssh_key root@$server_adress '/usr/local/sbin/emhttp &'
        while ! ssh -q -i $ssh_key root@$server_adress [[ -f $decrypted_testfile ]];  do
                sleep 5
        done
        echo "- Array mounted and decrypted"
        echo "- Deleting decryption key"
        ssh -i $ssh_key root@$server_adress 'rm /root/keyfile'
        echo ""
        echo "All done!"
fi
echo ""

note: to be adapted according to your need. server.local to be replaced by unraid IP if not resolved.

 

If you have any comment/question, please tell/ask ;)

 

 

Edited by Reynald
Link to comment
  • 1 month later...

 

This forum helped me a lot so I also wanted to share my "Unlocking" Processs for Unraid, maybe this is interesting to someone.

 

My goal was kind of a 2 Factor authentication with my phone to be able to react if UNRAID boots up when I am not home to see what happened.

Maybe you have some more ideas or please let me know if there are any security breaches/concerns as I am quite new to the linux world.

 

My go file looks:

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &

#Send Pushover Message that UNRAID started and needs the keyfile
curl -s \
  --form-string "token=TOKENID" \                                                                  
  --form-string "user=USERID" \
  --form-string "message=UNRAID STARTED" \
  --form-string "priority=1" \
  https://api.pushover.net/1/messages.json

 

This means after a reboot I get a Pushover notification on my Android.

The buzzword "UNRAID STARTED" triggers Tasker to close this Pushover Notification and instead show me a new notification with a button "UNLOCK" on it.

This Unlock button will trigger my OpenVPN to access my local network, then it will ssh into my Unraid server with the follwowing command:

 

ssh root@SERVER "pkill emhttpd && echo -n 'YOUR-KEY-HERE' > /root/keyfile && /usr/local/sbin/emhttp"

 

Especially on the last part with the pkill emhttpd I am not sure if this is a clean solution. Probably you have better ideas.

Link to comment

@dweb emhttp is not meant to be restarted AFAIK.

 

You might want to just move the the emhttp startup at the very end, while doing a loop - waiting for the keyfile before starting emhttp. This is untested and might have a nasty side effect of disabling the unRAID GUI until you've provided the keyfile.

while [ ! -f /root/keyfile ]; do
  sleep 60
done

Maybe the others know the CLI command for stopping and starting the array - so you can restart it instead.

Link to comment

I was further searching in the forum and ended up with the following code which my phone sends via ssh:

echo -n 'YOUR_KEY' > /root/keyfile \ 
&& CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') \
&& curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start&luksKey=/root/keyfile" http://localhost/update.htm

First it generates the keyfile, then it reads the csrf token for webui, then it starts the array with the token and the keyfile.

Seems to work so far.

 

  • Like 1
Link to comment
On 1/4/2020 at 2:02 AM, dweb said:

 

This forum helped me a lot so I also wanted to share my "Unlocking" Processs for Unraid, maybe this is interesting to someone.

 

My goal was kind of a 2 Factor authentication with my phone to be able to react if UNRAID boots up when I am not home to see what happened.

Maybe you have some more ideas or please let me know if there are any security breaches/concerns as I am quite new to the linux world.

 

My go file looks:


#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &

#Send Pushover Message that UNRAID started and needs the keyfile
curl -s \
  --form-string "token=TOKENID" \                                                                  
  --form-string "user=USERID" \
  --form-string "message=UNRAID STARTED" \
  --form-string "priority=1" \
  https://api.pushover.net/1/messages.json

 

This means after a reboot I get a Pushover notification on my Android.

The buzzword "UNRAID STARTED" triggers Tasker to close this Pushover Notification and instead show me a new notification with a button "UNLOCK" on it.

This Unlock button will trigger my OpenVPN to access my local network, then it will ssh into my Unraid server with the follwowing command:

 

ssh root@SERVER "pkill emhttpd && echo -n 'YOUR-KEY-HERE' > /root/keyfile && /usr/local/sbin/emhttp"

 

Especially on the last part with the pkill emhttpd I am not sure if this is a clean solution. Probably you have better ideas.

 

Hey your tasker scipt sounds amazing! Any chance of sharing it?

Link to comment
  • 5 weeks later...

Hi,

 

I believe that starting with 6.8, unRAID no longer saves a passphrase to a keyfile. So, does this mean the only way to autostart an encrypted array is to use a keyfile?

 

Assuming there is some way to autostart using a passphrase:

So I have my server at my parents' place since they have Gigabit internet and I don't. I generally use the OpenVPN docker to administer the server, although I do have a Raspberry Pi on their LAN that I connect to via VNC if OpenVPN isn't working properly. I was planning on storing the passphrase on the Raspberry Pi and having the server retrieve it via SMB at start.

 

Is that advisable or should I configure it some other way? Any security concerns/issues to navigate?

Link to comment
On 4/2/2018 at 10:01 AM, bonienl said:

A small variation if you want the key to be not locally present on the system when operational, the key is only needed during startup of the array.

 

In the go file the following is included before starting emhttp.


# auto unlock array
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped

# start webGUI
/usr/local/sbin/emhttp &

The above makes use of the built-in event system of unRAID. These events are created:

starting : this event is called before the array is started and is used to fetch the key from a remote source

started :  this event is called after the array is fully operational and is used to delete the key locally.

stopped : this event is called after the array is stopped and is used to fetch the key again from a remote source

 

The script "fetch_key"  can be any method to obtain the key remotely, e.g. using a mount method or a FTP (wget) method as explained in the video of @gridrunner

The script "delete_key" is a simple file to delete the key locally.

 

fetch_key


#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=name,password=password,iocharset=utf8 //192.168.1.99/index /unlock
  cp -f /unlock/somefile.png /root/keyfile
  umount /unlock
  rm -r /unlock
fi

delete_key


#!/bin/bash

rm -f /root/keyfile

You can start and stop the array as usual, and the key will be automatically fetched each time, provided that the remote service is up and running.

 

The files "fetch_key" and "delete_key" need to be stored on your flash device. I've created the folder /custom/bin to hold my custom scripts, but one is free to choose their own source folder, please update the lines in the go file accordingly.

Did something break in the latest unraid because I had this setup exactly like this and when the update happened, my array doesn't start automatically.  I have to put the keyfile in everytime. 

I'm running NVIDIA Unraid 6.8.2

Link to comment

I didn't really like being reliant on an externally hosted share or network connectivity, so I chose a different path. The way I solved it was by using a hardware encrypted USB drive. I bought an iStorage Datashur Pro, but there are cheaper drives available on Amazon which offer hardware encryption.

 

Basically, I decrypt the drive, stick it in my system and use bonienl's script to mount and copy the keyfile off of it. As long as the drive is powered, the drive stays decrypted so it survives reboots and remains accessible. When power to the thumb drive is cut off, the drive re-encrypts itself and keeps the keyfile safe.

Link to comment
  • 1 month later...

I'm having trouble getting the automount to work from the @SpaceInvaderOne video. I tested with the same keyfile on the flashdrive and it automounts but when I switch to the:

wget --ftps-implicit --user=user --password='password' ftp://ftp.example.com/keyfile -O /root/keyfile

it doesn't automount at all. It keeps saying wrong encryption key when it isn't. Has anyone figured this out? I'm new to unraid and can't figure out why it's not working.

Link to comment
15 hours ago, jayriavieock said:

I'm having trouble getting the automount to work from the @SpaceInvaderOne video. I tested with the same keyfile on the flashdrive and it automounts but when I switch to the:


wget --ftps-implicit --user=user --password='password' ftp://ftp.example.com/keyfile -O /root/keyfile

it doesn't automount at all. It keeps saying wrong encryption key when it isn't. Has anyone figured this out? I'm new to unraid and can't figure out why it's not working.

I figured out the issue. Filezilla kept uploading it as ASCII filetype instead of binary. it kept changing the file size ever so slightly and making the keyfile invalid. Got it working now!

 

So, if uploading via Filezilla, make sure to upload as binary.

Link to comment
  • 2 weeks later...
Just now, teh0wner said:

How would one go on about auto-unlocking from a remote source if encryption was set-up with a passphrase?

If you set up the Wireguard VPN that is now built into Unraid that would allow you to securely remotely access the Unraid server (and thus its GUI to start the array) even without the array started.

Link to comment
59 minutes ago, itimpi said:

If you set up the Wireguard VPN that is now built into Unraid that would allow you to securely remotely access the Unraid server (and thus its GUI to start the array) even without the array started.


It's more of question of what if I'm unavailable to enter the passphrase, than not being able to. People reliant on the server would have to wait for me to enter the passphrase, whereas, I would prefer to automate this process with FTP or similar. Only downside, is I don't have a keyfile to follow the tutorials. Unless it's just a matter of echo "passphrase" > keyfile ?

Edit: Indeed, that's the way.

Edited by teh0wner
  • Thanks 2
Link to comment
On 2/15/2020 at 12:08 PM, bonienl said:

You need to add these commands to the 'go' script after the 'cp' commands in the "auto unlock array" section.

 

I'm having some issues with the permissions as well.

Even adding the chmod in go, it doesn't seem to apply on boot.

 

root@XXX-XXXX:/usr/local/emhttp/webGui/event/starting# ls -ltra
total 4
drwxr-xr-x 9 root root 180 May  3 10:54 ../
-rw------- 1 root root 164 May  3 10:54 fetch_key
drwxrwxrwx 2 root root  60 May  3 10:54 ./

 

And my go looks like this
 

root@XXX-XXX:/boot/config# cat go
#!/bin/bash
# auto unlock array
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped
chmod a+x /usr/local/emhttpd/webGui/event/starting/fetch_key
chmod a+x /usr/local/emhttpd/webGui/event/started/delete_key
chmod a+x /usr/local/emhttpd/webGui/event/stopped/fetch_key
# Start the Management Utility
/usr/local/sbin/emhttp &

The actual fetch_key and delete_key scripts work fine, as when I chmod them manually and run, they work.

Link to comment
  • 3 months later...
  • 3 weeks later...

Hi,

 

I just updated my server to > 6.8 and "fell" into the permissions issue with my go file using a "fetch_key" and "delete_key" as described in this thread. I just wanted to summarize what I found to be working now.

According this post, all we have to do is add another copy and a chmod.

 

So now the section in my "go file" for the "fetch_key" looks like this:

mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped

cp -f /boot/custom/bin/fetch_key /tmp
cp -f /boot/custom/bin/delete_key /tmp
chmod a+x /tmp/fetch_key
chmod a+x /tmp/delete_key

cp -f /tmp/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /tmp/delete_key /usr/local/emhttp/webGui/event/started
cp -f /tmp/fetch_key /usr/local/emhttp/webGui/event/stopped

The "fetch_key" and "delete_key" files needed no changes on my setup.

Link to comment
  • 2 months later...
On 7/13/2019 at 2:14 PM, beckp said:

I thought I'd share how you can enhanced the go file by reducing the six lines to a single command and it's not by using another script.  You can create a tar ball that contains the fetch_key and delete_key scripts. The go file calls the tar command. The tar ball files are extracted and event directories are created.

 

You MUST have a fully functioning auto-start that unlocks using the event directories. This works with FTP or SMB fetch_key scripts.

I used the tarball method shared by beckp and it works in 6.9.0 beta 35. Simply one line in the go file and one tarball stored on the flash drive, and now my unRAID dynamically pulls the encryption key off of a local server when needed.

Link to comment

hasown - Glad you like it. It even solves the permission issue before it became an issue. Sure makes the go file clean. It's been over a year and it appears only you have tried it.  I "obfuscated" the fetch_key script. The IP address, user name, share name and key file name are obscured. Sure it can be hacked, but it's better than plain text.  If anyone is interested I'll share it.  As stated earlier in this topic, I've got a headless Raspberry Pi Zero W operating as my server. 

  • Like 1
Link to comment

JPs - 

On 8/11/2020 at 7:20 AM, JP s said:

Is there a way i can store the keyfile on a usb stick then when unraid boots up it would see that other usb stick that is plugged in to the server and auto boot the keyfile 

 

like would i just edit the "GO file" if so how would i do that so it would work? Thanks 

 

 

Take alook at this post...

https://forums.unraid.net/topic/61408-where-does-disk-encryption-stand/?do=findComment&comment=637835

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.